1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: RBlast.dldr and ISTbar

Discussion in 'Virus & Other Malware Removal' started by Selkie, Jan 13, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    I received a virus warning with the following contents:

    69821(1).htm Adware RBlast.dldr

    prompt(1).htm Adware-IST Bar

    byartist-u(1).htm

    I cannot remove them and have no idea what to do. Here is a Hijack This log. If someone could take the time to look at it, I would be most grateful.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:56:38 PM, on 1/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Programme\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programme\Dell\Media Experience\PCMService.exe
    C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\Programme\iTunes\iTunesHelper.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
    C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
    C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
    C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
    C:\Programme\Creative\News\NewsUpd.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
    C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\kernel.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\sc_watch.exe
    C:\Palm\HOTSYNC.EXE
    C:\Palm\AlarmApp.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE
    C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    C:\Programme\Network Associates\VirusScan\Mcshield.exe
    C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Programme\iPod\bin\iPodService.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE
    C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE
    C:\Programme\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
    O4 - HKLM\..\Run: [NewsUpd] C:\Programme\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
    O4 - HKCU\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash
    O4 - HKCU\..\Run: [] /s
    O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
    O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    Removal using the Adware.Istbar Removal Tool istsvc.exe

    http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html


    http://securityresponse.symantec.com/avcenter/FxIstbar.exe



    * Download the trial version of Ewido Security Suite here


    http://www.ewido.net/en/

    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.


    *Download Cleanup from Here

    http://www.stevengould.org/software/cleanup/download.html



    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK
    * DO NOT RUN IT YET



    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O4 - HKCU\..\Run: [] /s



    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop


    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.


    reboot to normal mode and run a few online scans!



    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner

    choose extended database for the scan!



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    post another hijack this log, the ewido and active scan logs
     
  3. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    Hi khazars!

    Thank you for your instructions. Said, done as we say on this side of the Channel. I hope I did it all correctly. The four logs are attatched (though somehow I think I should have five, since I scanned with 5 programmes. I hope its correct.)
     

    Attached Files:

  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    posting your logs for viewing!



    Logfile of HijackThis v1.99.1
    Scan saved at 1:56:44 PM, on 1/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programme\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programme\Dell\Media Experience\PCMService.exe
    C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\Programme\iTunes\iTunesHelper.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
    C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
    C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
    C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
    C:\Programme\Creative\News\NewsUpd.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
    C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Palm\AlarmApp.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE
    C:\Programme\ewido anti-malware\ewidoctrl.exe
    C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
    C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    C:\Programme\Network Associates\VirusScan\Mcshield.exe
    C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
    C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Programme\iPod\bin\iPodService.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE
    C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe
    C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE
    C:\Programme\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
    O4 - HKLM\..\Run: [NewsUpd] C:\Programme\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
    O4 - HKCU\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash
    O4 - HKCU\..\Run: [] /s
    O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
    O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe


    ---------------------------------------------------------
    ewido anti-malware - Scan Report
    ---------------------------------------------------------

    + Erstellt am: 11:09:49 AM, 1/14/2006
    + Report-Checksumme: 38E3BA8C

    + Scanergebnis:

    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A} -> Spyware.HotBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Spyware.MoneyTree : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\SideFind.Finder.1 -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag.1 -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Classes\TypeLib\{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF} -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar -> Spyware.ISTBar : Gesäubert mit Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKLM\SOFTWARE\sais -> Spyware.180Solutions : Gesäubert mit Backup
    HKLM\SOFTWARE\SideFind -> Spyware.SideFind : Gesäubert mit Backup
    HKLM\SOFTWARE\Switp -> Spyware.180Solutions : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\IST -> Spyware.ISTBar : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} -> Dialer.Generic : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\PowerScan -> Spyware.PowerScan : Gesäubert mit Backup
    HKU\S-1-5-21-476731316-3822390578-3610280308-1006\Software\sais -> Spyware.180Solutions : Gesäubert mit Backup
    C:\Dokumente und Einstellungen\Sarah\Startmenü\Programme\Power Scan -> Spyware.PowerScan : Gesäubert mit Backup
    C:\Dokumente und Einstellungen\Sarah\Startmenü\Programme\Power Scan\Power Scan.lnk -> Spyware.PowerScan : Gesäubert mit Backup
    C:\Programme\ISTbar -> Spyware.ISTBar : Gesäubert mit Backup
    C:\Programme\ISTbar\cmctl.dll -> Spyware.ISTBar : Gesäubert mit Backup
    C:\Programme\ISTbar\imagemap_normal.bmp -> Spyware.ISTBar : Gesäubert mit Backup
    C:\Programme\ISTbar\version.txt -> Spyware.ISTBar : Gesäubert mit Backup
    C:\Programme\ISTbar\xml_istbar.xml -> Spyware.ISTBar : Gesäubert mit Backup
    C:\Programme\Power Scan -> Spyware.PowerScan : Gesäubert mit Backup
    C:\Programme\SideFind -> Adware.SideFind : Gesäubert mit Backup
    C:\Programme\SideFind\sfexd001 -> Adware.SideFind : Gesäubert mit Backup
    C:\Programme\SideFind\update -> Adware.SideFind : Gesäubert mit Backup
    C:\Programme\WinFixer 2005 -> Spyware.WinFixer : Gesäubert mit Backup
    C:\WINDOWS\Downloaded Program Files\UWFX5U_0001_LPNetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Gesäubert mit Backup
    C:\WINDOWS\SYSTEM32\DRIVERS\df_kmd.sys -> Trojan.Rootkit.Agent.af : Gesäubert mit Backup


    ::Report Ende



    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, January 14, 2006 12:19:34
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 14/01/2006
    Kaspersky Anti-Virus database records: 161309
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 56647
    Number of viruses found: 1
    Number of infected objects: 1
    Number of suspicious objects: 0
    Duration of the scan process: 3344 sec

    Infected Object Name - Virus Name
    C:\System Volume Information\_restore{08A5F15B-D5F0-4D17-893D-8B358608DCF6}\RP76\A0010440.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen

    Scan process completed.




    Incident Status Location

    Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Sarah\Cookies\[email protected][1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Sarah\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Sarah\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Programme\Gemeinsame Dateien\WinSoftware\CrXML.dll
    Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Programme\Gemeinsame Dateien\WinSoftware\PCheck.dll
     
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\Programme\Gemeinsame Dateien\WinSoftware\CrXML.dll
    C:\Programme\Gemeinsame Dateien\WinSoftware\PCheck.dll
    C:\Programme\Gemeinsame Dateien\WinSoftware



    reboot and download and run these tools!

    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.



    Go here and download Microsoft Antispyware Beta. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.


    All tools can be downloaded at the link below and found on that page!


    . Microsoft® Windows AntiSpyware
    . Trend micro CWShredder
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html


    post another log
     
  6. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    Killbox step accomplished, but I am not clear on where I should download adaware and spybot from. Did I miss a link? (I am a self-professed computer idiot, so I apologize if I have misunderstood something).
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you get them here from majorgeeks, thaey are all on the same page!


    . Microsoft® Windows AntiSpyware
    . Trend micro CWShredder
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html
     
  8. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    Found them all, thanks. I cannot update Spybot though, as it tells me that the update path is no longer valid and I first have to load the update update. I am too inexperienced to know how to do that.
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    just run the other scans, all you do with spybot once you have installed it is click updates! if a update is available in the bottom pane window then check the box/s and then click update. Sometimes it doesn't work straight away but just keep repeating until it updates!

    If you keep getting an error then uninstall it and then reinstall it! Just run the scans and post another log!
     
  10. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    Whew, I think I managed it all correctly (I am working at the outer limit of my abilites here). Hijack This log below.

    However, now my System Folder window is open everytime I boot up, Mircrosoft Word wants to be reinstalled, and the computer claims that 2 programmes are running even when I am doing nothing. One must be my firewall, what could the other be? Have I done something wrong and can I go ahead and reinstall Word? Or will that mess up the process?

    Thanks so much for all your help so far, Selkie

    Logfile of HijackThis v1.99.1
    Scan saved at 6:35:50 PM, on 1/15/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programme\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programme\Dell\Media Experience\PCMService.exe
    C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\Programme\iTunes\iTunesHelper.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
    C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
    C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
    C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
    C:\Programme\Creative\News\NewsUpd.EXE
    C:\Programme\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
    C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE
    C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Palm\HOTSYNC.EXE
    C:\Palm\AlarmApp.exe
    C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\kernel.exe
    C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\sc_watch.exe
    C:\Programme\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
    O4 - HKLM\..\Run: [NewsUpd] C:\Programme\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
    O4 - HKCU\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash
    O4 - HKCU\..\Run: [] /s
    O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
    O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    clean log.


    how's the computer runing now any better?




    you should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405



    here's some free tools to keep you from getting infected in the future.


    to stop reinfection get these two tools, spywareguard and spywareblaster
    from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into :


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    https://netfiles.uiuc.edu/ehowes/www/resource.htm



    http://www.winpatrol.com/winpatrol.html



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm




    you can mark your own thread solved through thread tools at the top of
    the page.
     
  12. Selkie

    Selkie Thread Starter

    Joined:
    Oct 25, 2005
    Messages:
    13
    I'll mark it as closed. Thanks very much for you help.
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, you're welcome
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/433760

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice