Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

In need of help...hijack this! log inside


  • Please log in to reply
15 replies to this topic

#1 shrimpcuddler

shrimpcuddler

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 13 May 2005 - 07:38 PM

I've run spybot and adaware. some of the problems are deleted but reinstall themselves. Other problems include constant pop-ups, change of homepage, and programs being installed.

heres my hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 3:55:33 PM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\video2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\bdvnmkv.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\WebSiteViewer\127062.dlr
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\user\LOCALS~1\Temp\3D.tmp\thnall1a.exe
C:\WINDOWS\svcproc.exe
C:\Documents and Settings\user\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsu20B.dll
O2 - BHO: (no name) - {C734F6DB-BBAB-48B7-9735-DAFD6B311FE7} - C:\WINDOWS\System32\ehjbc.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\user\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [raodims] c:\windows\system32\bdvnmkv.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {05B2E8C9-35F4-39CA-4CF4-29E9207A538C} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2EB2DBD5-6931-79FF-13FE-6FB86FD6E668} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {37DA0EDE-7F83-14CF-2D6C-636907F5436F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3965EA53-D17F-3E82-B011-6E503193717E} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3EAD6D9B-0DB8-63AE-7A02-179E59132040} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3F834915-DB21-787C-B19A-1D27129D6418} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {48A255C7-B45D-0341-3E79-4F3440CF13EC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4DE3304F-2226-09AC-56D4-15DE009A8359} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4EBC64D5-A038-49C4-B36A-21E316D1AAD3} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5F9FD54B-008F-3058-31AC-08C6061FFFCE} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {69F94E33-10CC-5694-5F71-592578B922CD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6A75C3C3-AE5E-5387-AD85-61ED327421CC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6AB390B9-6542-2512-8DEE-53C202B9FDBA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6E65A796-D774-40B8-71EB-49185970C542} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {703B274C-E70C-6B1D-EA68-16141C24BF68} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {73A292AF-8843-6BE1-7328-09C5046EE4BC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {74EC0D60-627A-68A5-5B16-0C5D7C15F223} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 14 May 2005 - 10:54 AM

Please download and extract the following file:

http://www.derbilk.de/SpSeHjfix112.zip

Run this program and then continue with the next steps:

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsu20B.dll
O2 - BHO: (no name) - {C734F6DB-BBAB-48B7-9735-DAFD6B311FE7} - C:\WINDOWS\System32\ehjbc.dll
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\user\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [raodims] c:\windows\system32\bdvnmkv.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {05B2E8C9-35F4-39CA-4CF4-29E9207A538C} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {2EB2DBD5-6931-79FF-13FE-6FB86FD6E668} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {37DA0EDE-7F83-14CF-2D6C-636907F5436F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3965EA53-D17F-3E82-B011-6E503193717E} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3EAD6D9B-0DB8-63AE-7A02-179E59132040} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3F834915-DB21-787C-B19A-1D27129D6418} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {48A255C7-B45D-0341-3E79-4F3440CF13EC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4DE3304F-2226-09AC-56D4-15DE009A8359} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4EBC64D5-A038-49C4-B36A-21E316D1AAD3} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5F9FD54B-008F-3058-31AC-08C6061FFFCE} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {69F94E33-10CC-5694-5F71-592578B922CD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6A75C3C3-AE5E-5387-AD85-61ED327421CC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6AB390B9-6542-2512-8DEE-53C202B9FDBA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6E65A796-D774-40B8-71EB-49185970C542} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {703B274C-E70C-6B1D-EA68-16141C24BF68} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {73A292AF-8843-6BE1-7328-09C5046EE4BC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {74EC0D60-627A-68A5-5B16-0C5D7C15F223} - http://67.19.178.86/1/rdgUS1742.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\rsyncmon.dll
C:\WINDOWS\System32\nsu20B.dll
C:\WINDOWS\System32\ehjbc.dll
C:\WINDOWS\farmmext.exe
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\System32\netsync.exe
c:\windows\system32\bdvnmkv.exe
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\System32\spoolsrv32.exe

Reboot your computer to go back to normal mode.


Step #1

Download CCleaner and install it but do not run it yet.

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Open Notepad and copy/paste the text in the quotebox below into the new document:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit


Save the document to your desktop as fixnail.bat and close Notepad.

Step #3

Start in Safe Mode Using the F8 method:[LIST]
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
[*]Use the arrow keys to select the Safe Mode menu item.
[*]Press the Enter key.

Step #5

Locate the fixnail.bat file on your desktop and double-click on it to run it.

Step #6

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #7

Start ewido and click the Scanner button and then click the Start button. Let it run to completion and fix everything it finds.


OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#3 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 14 May 2005 - 09:40 PM

I did the above steps...i still have stuff installing on my desk top and less pop ups. Heres my hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 7:39:33 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\down.exe
C:\Documents and Settings\user\efvefefe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\video2.exe
C:\Program Files\WebSiteViewer\127062.dlr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\HijackThis.exe

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc6.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 15 May 2005 - 01:01 PM

You are using an outdated version of hijackthis.

Please download the newer version from the following link:

HijackThis Download Site

Once it is downloaded, extract the zip file to c:\hjt and navigate to the c:\hjt folder. Now double-click on hijackthis.exe and when the window opens, put a checkmark in the box at the bottom that states Don't show this frame again when I start HijackThis.

Then click on the button labeled None of the above, just start the program. You will now be presented with the main HJT screen.

Press the Scan button and then when it is done, the Save Log button. Save this log in c:\hjt, and then copy and paste the contents of the notepad it opens as a reply to this post.

#5 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 15 May 2005 - 02:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:15:17 PM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\instsrv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\lsuah.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\pkdex.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\user\Application Data\otel.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe
c:\program files\180solutions\sais.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nstC.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fjjWo1FwW] C:\WINDOWS\lsuah.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [pkdex] C:\WINDOWS\pkdex.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Oura] C:\Documents and Settings\user\Application Data\otel.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {6610F643-ED75-1D03-119D-71002937AD94} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 15 May 2005 - 11:43 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nstC.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fjjWo1FwW] C:\WINDOWS\lsuah.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [pkdex] C:\WINDOWS\pkdex.exe
O4 - HKCU\..\Run: [Oura] C:\Documents and Settings\user\Application Data\otel.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {6610F643-ED75-1D03-119D-71002937AD94} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\nstC.dll
C:\Program Files\SideFind\
C:\WINDOWS\System32\msbe.dll
C:\PROGRAM FILES\YOURSI~1\ysb.dll
C:\Program Files\ISTsvc\
C:\WINDOWS\lsuah.exe
c:\program files\180solutions\
C:\Program Files\Power Scan\
C:\Program Files\BullsEye Network\
C:\WINDOWS\pkdex.exe
C:\Documents and Settings\user\Application Data\otel.exe
C:\Program Files\SideFind\
C:\WINDOWS\svcproc.exe
C:\WINDOWS\zeta.exe

Reboot your computer to go back to normal mode.

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on SvcProc and ZESOFT and delete them.

Reboot and post a last log.

#7 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 16 May 2005 - 09:28 PM

Heres my log...everything is still installing itself after awhile (zeta.exe, bargain, etc.) Thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 7:24:13 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe
C:\DOCUME~1\user\LOCALS~1\Temp\iinstall.exe
C:\Documents and Settings\user\down.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\tviqul.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\user\LOCALS~1\Temp\bb.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nse4.dll
O2 - BHO: (no name) - {A5FF11EB-65D2-4122-A92C-FE253056497D} - C:\WINDOWS\System32\lme.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\user\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Filter: text/html - {D3C18FF4-1183-4131-A648-FAF6AEB4C515} - C:\WINDOWS\System32\lme.dll
O18 - Filter: text/plain - {D3C18FF4-1183-4131-A648-FAF6AEB4C515} - C:\WINDOWS\System32\lme.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 16 May 2005 - 10:23 PM

Please download and extract the following file:

http://www.derbilk.de/SpSeHjfix112.zip

Run the program and then post the resulting log along with a new hijackthis log.

#9 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 17 May 2005 - 08:17 PM

SpSEHJFIX log

(5/15/05 10:06:03 AM) SPSeHjFix started v1.1.2
(5/15/05 10:06:03 AM) OS: WinXP Service Pack 1 (5.1.2600)
(5/15/05 10:06:03 AM) Language: english
(5/15/05 10:06:03 AM) Win-Path: C:\WINDOWS
(5/15/05 10:06:03 AM) System-Path: C:\WINDOWS\System32
(5/15/05 10:06:03 AM) Temp-Path: C:\DOCUME~1\user\LOCALS~1\Temp\
(5/15/05 10:06:05 AM) Disinfection started
(5/15/05 10:06:05 AM) Bad-Dll(IEP): c:\docume~1\user\locals~1\temp\se.dll
(5/15/05 10:06:05 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\jdmiefa.dll
(5/15/05 10:06:05 AM) Searchassistant Uninstaller - Keys Deleted
(5/15/05 10:06:05 AM) UBF: 9 - UBB: 1 - UBR: 11
(5/15/05 10:06:05 AM) FilterKey: HKCR\text/html (deleted)
(5/15/05 10:06:05 AM) FilterKey: HKCR\CLSID\{AC5B6BC0-B60A-4FC7-BAAC-74B7381EE9CE} (deleted)
(5/15/05 10:06:05 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/15/05 10:06:05 AM) FilterKey: HKCR\text/plain (deleted)
(5/15/05 10:06:05 AM) FilterKey: HKCR\CLSID\{AC5B6BC0-B60A-4FC7-BAAC-74B7381EE9CE} (error while deleting)
(5/15/05 10:06:05 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/15/05 10:06:05 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C42EBA71-A57A-47FC-9558-A61DCB739273} (deleted)
(5/15/05 10:06:05 AM) BHO-Key: HKCR\CLSID\{C42EBA71-A57A-47FC-9558-A61DCB739273} (deleted)
(5/15/05 10:06:05 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\user\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/15/05 10:06:05 AM) UBF: 7 - UBB: 0 - UBR: 10
(5/15/05 10:06:05 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\user\locals~1\temp\se.dll/sp.html


Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 6:16:26 PM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\system32\lkpnldx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\user\Application Data\otel.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\tskla.exe
C:\Program Files\180Solutions\sais.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsiE.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ys2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ijWFRIg] C:\WINDOWS\tviqul.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [qjabif] C:\WINDOWS\qjabif.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\Run: [fGkWAsD8d] C:\WINDOWS\fllwgwf.exe
O4 - HKLM\..\Run: [B4ibRFS] C:\WINDOWS\vvqrl.exe
O4 - HKLM\..\Run: [Vec5] C:\WINDOWS\aeujfl.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ytyysof] c:\windows\system32\lkpnldx.exe
O4 - HKLM\..\Run: [klod] C:\WINDOWS\klod.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [9YED] C:\WINDOWS\tskla.exe
O4 - HKLM\..\Run: [shkjynal] C:\WINDOWS\shkjynal.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [Oura] C:\Documents and Settings\user\Application Data\otel.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 18 May 2005 - 09:34 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsiE.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ys2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ijWFRIg] C:\WINDOWS\tviqul.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [qjabif] C:\WINDOWS\qjabif.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\Run: [fGkWAsD8d] C:\WINDOWS\fllwgwf.exe
O4 - HKLM\..\Run: [B4ibRFS] C:\WINDOWS\vvqrl.exe
O4 - HKLM\..\Run: [Vec5] C:\WINDOWS\aeujfl.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ytyysof] c:\windows\system32\lkpnldx.exe
O4 - HKLM\..\Run: [klod] C:\WINDOWS\klod.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [9YED] C:\WINDOWS\tskla.exe
O4 - HKLM\..\Run: [shkjynal] C:\WINDOWS\shkjynal.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [Oura] C:\Documents and Settings\user\Application Data\otel.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\nem220.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\rsyncmon.dll
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\nsiE.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\tviqul.exe
c:\program files\180solutions\
C:\Program Files\Power Scan\
C:\Program Files\BullsEye Network\
C:\WINDOWS\qjabif.exe
C:\WINDOWS\System32\pd33.exe
C:\WINDOWS\fllwgwf.exe
C:\WINDOWS\vvqrl.exe
C:\WINDOWS\aeujfl.exe
C:\WINDOWS\System32\netsync.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\lkpnldx.exe
C:\WINDOWS\klod.exe
C:\Program Files\ISTsvc\
C:\WINDOWS\tskla.exe
C:\WINDOWS\shkjynal.exe
C:\WINDOWS\System32\pd33.exe
C:\Documents and Settings\user\Application Data\otel.exe
C:\Program Files\SideFind\
C:\WINDOWS\svcproc.exe
C:\WINDOWS\zeta.exe

Reboot your computer to go back to normal mode and post a new log.

#11 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 18 May 2005 - 11:59 PM

The stuff might install itself lateragain.....

Logfile of HijackThis v1.99.1
Scan saved at 9:56:46 PM, on 5/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
c:\windows\system32\hmximsd.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\user\LOCALS~1\Temp\SSB\aurareco.exe
C:\DOCUME~1\user\LOCALS~1\Temp\DrTemp\wupdt.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bllsvmy] c:\windows\system32\hmximsd.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 19 May 2005 - 09:44 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\DOCUME~1\user\LOCALS~1\Temp\SSB\aurareco.exe
C:\DOCUME~1\user\LOCALS~1\Temp\DrTemp\wupdt.exe

To copy the files simply navigate to the directory they are in and right click on the file name, and then click on copy option. Now go back to the c:\submit folder and right click in the folder and select the paste option.

Once the files are all copied zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a file called yourmembername.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that.

When the files are zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browsing to the file you are submitting Finally click on the Send File button.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [bllsvmy] c:\windows\system32\hmximsd.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\hmximsd.exe

Reboot your computer to go back to normal mode.

Download FindQoologic.zip save it to your Desktop.

http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens and save the log.

If you get an error while running Findqoologic similar to 'C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..'

Download and install this file:

http://www.visualtour.com/downloads/xp_fix.exe

and run findqoologic again . Post the resulting log along with a new hijackthis log

#13 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 19 May 2005 - 09:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:05:08 PM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\xfyeq.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\windows\system32\bpohuyc.exe
C:\WINDOWS\mlipkl.exe
C:\WINDOWS\System32\Ydibfi.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
c:\program files\180solutions\sais.exe
C:\WINDOWS\System32\cryml2.exe
C:\WINDOWS\System32\dcowser.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsx4.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [dr9AD42ME] C:\WINDOWS\xfyeq.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [mlipkl] C:\WINDOWS\mlipkl.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\user\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Cuqjah.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ydibfi.exe
O4 - HKLM\..\Run: [mfsxynv] c:\windows\system32\bpohuyc.exe
O4 - HKLM\..\Run: [w3Ek35T] dcowser.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [h0xqRRfnR] cryml2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0A6D7F92-A994-06EA-4CF2-5A107E6C9A62} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
<NO NAME> REG_SZ {a7cda720-84ee-11d0-b5c0-00001b3ca278}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
<NO NAME> REG_SZ {85BBD920-42A0-1069-A2E4-08002B30309D}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 19 May 2005 - 10:17 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsx4.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [dr9AD42ME] C:\WINDOWS\xfyeq.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [mlipkl] C:\WINDOWS\mlipkl.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\user\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Cuqjah.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ydibfi.exe
O4 - HKLM\..\Run: [mfsxynv] c:\windows\system32\bpohuyc.exe
O4 - HKLM\..\Run: [w3Ek35T] dcowser.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [h0xqRRfnR] cryml2.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0A6D7F92-A994-06EA-4CF2-5A107E6C9A62} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\nem220.dll
C:\Program Files\CxtPls\
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\rsyncmon.dll
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\nsx4.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\netsync.exe
C:\Program Files\ISTsvc\
C:\WINDOWS\xfyeq.exe
C:\Program Files\BullsEye Network\
C:\Program Files\Internet Optimizer\
c:\program files\180solutions\
C:\WINDOWS\mlipkl.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Power Scan\
C:\WINDOWS\System32\Cuqjah.exe
C:\WINDOWS\System32\Ydibfi.exe
c:\windows\system32\bpohuyc.exe
c:\windows\system32\dcowser.exe
C:\Program Files\AutoUpdate\
c:\windows\system32\cryml2.exe
C:\Program Files\SideFind\
C:\WINDOWS\svcproc.exe

Reboot your computer to go back to normal mode and post a new log.

#15 shrimpcuddler

shrimpcuddler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 20 May 2005 - 09:46 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:44:37 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\mmuv_32.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\mmdvc32.exe
c:\windows\system32\mcycqqx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\jgohbhx.exe
C:\WINDOWS\System32\thin-94-1-x-x.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Winamp\winamp.exe
c:\program files\180solutions\sais.exe
C:\Documents and Settings\user\pd33.exe
C:\Program Files\WebSiteViewer\127062.dlr
C:\Documents and Settings\user\Application Data\otel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS1742.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsz5.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dr9AD42ME] C:\WINDOWS\xfyeq.exe
O4 - HKLM\..\Run: [w3Ek35T] mmuv_32.exe
O4 - HKLM\..\Run: [ycdzhr] c:\windows\system32\mcycqqx.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [o4pD] C:\WINDOWS\jgohbhx.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [lazah] C:\WINDOWS\lazah.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [h0xqRRfnR] mmdvc32.exe
O4 - HKCU\..\Run: [Oura] C:\Documents and Settings\user\Application Data\otel.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0A6D7F92-A994-06EA-4CF2-5A107E6C9A62} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {362E6890-1F4D-779E-A7B4-0DDB088C487E} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3E532321-FB17-1812-B4F4-4668125196BE} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6AA8FC90-196E-66F3-B92E-09130DB2DCEC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {77170564-EA82-3FDD-849A-1942165C2D07} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3548
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users