Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phantasmagoria again


  • Please log in to reply
6 replies to this topic

#1 Phantasmagoria

Phantasmagoria

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 21 April 2005 - 04:42 PM

I seem to be having a lot of problems with my computer, as some of you may have found out by now :thumbsup:

So, here it is again. CoolWebSearch (HiddenDLL variant) constantly affects my machine and so far I have found no fix that has worked for more than a day. I have tried multiple times to get rid of it, but no matter how hard or how many times I try, the spyware reappears again and again. It's rather annoying. So I will post my HJT log again and hope there is something I can try that will work.


Logfile of HijackThis v1.99.1
Scan saved at 5:38:08 PM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Dat bleep Jesus
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {F8A96244-08BE-45BC-B92F-BB642773BF46} - C:\WINDOWS\system32\bffbje.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\RASHEE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\Software\..\Telephony: DomainName = truaxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O18 - Filter: text/html - {4F09FF16-21E5-4E81-96CF-FED2EED8C362} - C:\WINDOWS\system32\bffbje.dll
O18 - Filter: text/plain - {4F09FF16-21E5-4E81-96CF-FED2EED8C362} - C:\WINDOWS\system32\bffbje.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe


You and I both can tell that CWS is the problem, coupled with se.dll. Another thing that I've noticed that I can only associate with CWS is that my system seems to be swallowing memory like water. I have my page file settings at 384-768 MB. Ever so often I come back to my machine with a message window stating that Windows is increasing the page file size - you all know the message. Currently, I am using 520MB, but I have seen the usage at almost an entire gig (980MB I believe). I'm probably wrong in my hypothesis about my memory problem, and any input would be nice. Anyways, one thing at a time.

Thanks.

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 PM

Posted 22 April 2005 - 06:27 AM

  • Please download this file: SpSeHjfix
  • Extract the file on your desktop.
  • Run SpSeHjfix112.exe.
  • Click Start disinfection
  • Reboot your system.
You will find on your desktop a log: SPSeHjFix.log.
  • Post the SPSeHjFix log and a new HJT log please


#3 Phantasmagoria

Phantasmagoria
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 22 April 2005 - 09:52 PM

SPSeHjFix Log:

(4/22/05 10:44:38 PM) SPSeHjFix started v1.1.2
(4/22/05 10:44:38 PM) OS: WinXP Service Pack 2 (5.1.2600)
(4/22/05 10:44:38 PM) Language: english
(4/22/05 10:44:38 PM) Win-Path: C:\WINDOWS
(4/22/05 10:44:38 PM) System-Path: C:\WINDOWS\system32
(4/22/05 10:44:38 PM) Temp-Path: C:\DOCUME~1\MIKE~1.AFC\LOCALS~1\Temp\
(4/22/05 10:44:45 PM) Disinfection started
(4/22/05 10:44:45 PM) Bad-Dll(IEP): c:\docume~1\mike~1.afc\locals~1\temp\se.dll
(4/22/05 10:44:45 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\nmeehfl.dll
(4/22/05 10:44:45 PM) Searchassistant Uninstaller - Keys Deleted
(4/22/05 10:44:45 PM) UBF: 6 - UBB: 2 - UBR: 10
(4/22/05 10:44:45 PM) FilterKey: HKCR\text/html (deleted)
(4/22/05 10:44:45 PM) FilterKey: HKCR\CLSID\{4ABB0346-7621-42B9-8D46-A256C73A95BD} (deleted)
(4/22/05 10:44:45 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/22/05 10:44:45 PM) FilterKey: HKCR\text/plain (deleted)
(4/22/05 10:44:45 PM) FilterKey: HKCR\CLSID\{4ABB0346-7621-42B9-8D46-A256C73A95BD} (error while deleting)
(4/22/05 10:44:45 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/22/05 10:44:45 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA24E54-374D-4AF7-91D5-849EFDC189CB} (deleted)
(4/22/05 10:44:45 PM) BHO-Key: HKCR\CLSID\{3CA24E54-374D-4AF7-91D5-849EFDC189CB} (deleted)
(4/22/05 10:44:45 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\MIKE~1.AFC\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/22/05 10:44:45 PM) UBF: 4 - UBB: 1 - UBR: 9
(4/22/05 10:44:45 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\mike~1.afc\locals~1\temp\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\mike~1.afc\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/22/05 10:44:46 PM) Stealth-String found: C:\WINDOWS\system32\sqlnkph.dll
(4/22/05 10:44:46 PM) Error while add to delete. Try another way... : C:\WINDOWS\system32\sqlnkph.dll
(4/22/05 10:44:47 PM) File added to delete: c:\windows\system32\nmeehfl.dll
(4/22/05 10:44:47 PM) File added to delete: c:\docume~1\mike~1.afc\locals~1\temp\se.dll
(4/22/05 10:44:47 PM) Reboot
(4/22/05 10:46:26 PM) SPSeHjFix 2nd Step
(4/22/05 10:46:26 PM) Error while deleting Stealth-DLL
(4/22/05 10:46:26 PM) AppInit_DLLs-key: (edited)
(4/22/05 10:46:27 PM) Stealth-String not present. Disinfection succesfully
(4/22/05 10:46:33 PM) Cleaned


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:02 PM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dat bleep Jesus
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\MIKE~1.AFC\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\Software\..\Telephony: DomainName = truaxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe



I just now realized that I ran the fix from an alternate account. Provided that it makes any difference, if the problem persists I will run the fix from my main account. Sorry for the incompetence.

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 PM

Posted 23 April 2005 - 06:26 AM

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\MIKE~1.AFC\LOCALS~1\Temp\se.dll,DllInstall

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Reboot your computer and post a new log,
didom

#5 Phantasmagoria

Phantasmagoria
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 April 2005 - 07:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:17:18 AM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dat bleep Jesus
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\Software\..\Telephony: DomainName = truaxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = truaxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{83F7D0B1-FB45-4270-AACD-A19156A865BA}: NameServer = 192.168.1.98,24.93.68.63
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe


Cross my fingers and hope it stays like that.

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 PM

Posted 23 April 2005 - 07:35 AM

This log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts.

Please post back if you are still having any problems....

#7 Phantasmagoria

Phantasmagoria
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 April 2005 - 11:29 PM

Thank you for the assistance. The problem seems to have been fixed. I have been clean since the time of my previous post; I will let you know if I have any more problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users