Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Amers


  • This topic is locked This topic is locked
10 replies to this topic

#1 Amers

Amers

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 16 June 2005 - 02:29 PM

Hi,

I have been having problems lately with my computer. I am constantly getting pop ups while using Internet Explorer. I have run both Ad-Aware and Spyboth- Search and Destroy. Ad-Aware shows that I have the VX2 virus. Ad-Aware seems to remove it. However, each time I run Ad-Aware, it is there again.

Below is the log I got when I ran Hijackthis. Please review it. I would appreciate any help that you can provide.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 2:58:10 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\windows\system32\lapc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Lotus\Notes\ntaskldr.EXE
C:\Program Files\AR System\aruser.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marsh.com/MarshPortal/PortalMain
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06DEA1A3-E06F-44ED-AE7B-FEB441E7489B} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {0817060F-12AA-4FC6-B0B7-BBBC13704820} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {0D524E39-24F6-4FC8-927E-0639483D95AE} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {0E0320F8-2174-4796-8C9F-456015D9A60A} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {10E20026-9ACB-4805-B5D7-28AAF3C72F8C} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {14481527-5C8B-4527-B2CA-96371AB4D7FD} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {1D78C0EE-510E-4B16-BB44-D0DF37C1E070} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {217A61B3-A9FD-4FC5-8007-5F9A930F2F79} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {285462E1-D912-49C9-871B-2374BE98BF4F} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {28FFBCB3-1C57-4131-971B-6BFE29E31D89} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {291DE429-D72F-4163-9E00-3BDDE93AD131} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {3392C834-A7B7-48ED-9331-473FE1A7155C} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {40E83EB6-3DB4-4A79-ACE9-3E554427F70D} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {4D432F8A-5123-4891-870B-309D37FC82ED} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {562F5F46-299E-4BD5-92CE-C4C9360FF2C6} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {56DDAE1A-3395-4733-81C0-44DAB99EB10F} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {57455A34-74AE-418A-8313-BA817B2D8728} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {5B776524-0628-4C2B-9848-3FA335D367AD} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {5E094DDC-8F59-4521-B99D-A90DA6824608} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {61DDEE34-DF0D-41F5-B429-21F5CA99A9AD} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {6730883D-4ACC-4B08-9958-AF74D700C453} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {6A7CBFBE-3A9C-4D6E-B41E-3116B34B0E2A} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {6B793906-7110-4B00-AB56-FE15BBD6D17A} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {72E7651C-DBEF-4CF0-8743-7E3D30260D2E} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {73CE61E9-BBD6-46DC-8D16-A6F5531430C9} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {7827F2F9-FF82-4603-8D95-752D5EBA7DC2} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {7F349F6C-8C96-4101-B7B9-9C0063C6371D} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {8825E791-2E84-4AEB-9344-551C5E317F6E} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {8E8B0120-9631-4D49-B062-E0655CBB7826} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {961D2532-A60A-4EB0-B2F6-2F6060D0BA22} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {9832E226-9014-439E-BBDA-AD8C3A49C48D} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {A507A281-228D-49F9-A741-C789BFDA59D5} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {A5635DB5-9047-479D-9C74-11DFB8F4DD07} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {A90D6E61-D8B3-4413-8F3B-16CC399F4D65} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B51A3D4F-F219-4AF0-B5F0-C338D87524E3} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {BCC45928-1F26-4AE6-9231-260D9BA2AF02} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {C09DE07A-9BA9-4520-A401-34874849AD0E} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {C4A0D430-47F9-40AF-B9FA-B716BB5FBFEB} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {C7AD3E44-5006-46B2-931B-A532AC259159} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {D70A1686-F1D4-4134-AC84-ACEEA4427147} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {DB00A15B-E7E5-4CC2-87EF-63E269C116F6} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {DF711A7D-4767-4E4B-A0B5-21881106467C} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {DFF00F25-EB05-486D-A1D0-55A0662C3F5B} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {E02F910D-4514-419D-8B42-16532C365E9C} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {E1A663ED-F463-4A4E-8C15-D492E96DF359} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {E6140108-0ED7-4CDC-9100-228DBD8667AC} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {EB4F09B0-767A-44E2-ADB9-482CE9D3A7A0} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {EBD78C10-1C34-496B-884A-B473281B96A1} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {ED1295F0-DF59-41E4-AF95-A0339AC641E8} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {ED3F6FB5-2B7F-443D-ABD5-6B91DE14EA7D} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {F06E25E3-7466-42B0-B514-EEC3EFDF71AF} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {F8782572-4502-430D-9CA7-8C0FEDD74B0A} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {FC14C95A-8891-4E64-A42F-EE886C611D4E} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {FD4F6FC1-1AE9-4085-8C5A-7305AD1C6A88} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O2 - BHO: (no name) - {FE4CA628-9B55-46CC-BBD0-0DA2CA1A1C53} - C:\Program Files\jbh10e0i\jbh10e0i.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Client Access Service] "C:\PROGRA~1\IBM\CLIENT~1\cwbsvstr.exe
O4 - HKLM\..\Run: [Client Access Help Update] "C:\PROGRA~1\IBM\CLIENT~1\cwbinhlp.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\PROGRA~1\IBM\CLIENT~1\cwbwlwiz.exe
O4 - HKLM\..\Run: [Client Access Check Version] "C:\PROGRA~1\IBM\CLIENT~1\cwbckver.exe LOGIN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [r73j34l] wmpud.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [orlj] C:\WINDOWS\System32\orlj.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [awstRQJEh] avwave.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.marsh.com/MarshPortal/PortalMain
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: JavaConnect - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1349fcda385fd9...ip/RdxIE601.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://205.247.223.204/main/Install/en/US/...aDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.us.mrshmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LAPC - Marsh, Inc. - c:\windows\system32\lapc.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleDesignerClientCache80 - Unknown owner - C:\oracle\Designer\BIN\ONRSD80.EXE
O23 - Service: OracleOra81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

BC AdBot (Login to Remove)

 


m

#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 18 June 2005 - 08:39 AM

Welcome Amers to Bleeping Computer.

I see different infections. Let's see if we can take them on in one advise.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Download CleanUp!.
If that doesn’t work, use this link.
Double click the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close.

Let the system reboot.

***

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed..

Do NOT run a scan yet.

***

RIGHT-CLICK HERE and Save As (In IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06DEA1A3-E06F-44ED-AE7B-FEB441E7489B} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {0817060F-12AA-4FC6-B0B7-BBBC13704820} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {0D524E39-24F6-4FC8-927E-0639483D95AE} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {0E0320F8-2174-4796-8C9F-456015D9A60A} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {10E20026-9ACB-4805-B5D7-28AAF3C72F8C} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {14481527-5C8B-4527-B2CA-96371AB4D7FD} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {1D78C0EE-510E-4B16-BB44-D0DF37C1E070} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {217A61B3-A9FD-4FC5-8007-5F9A930F2F79} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {285462E1-D912-49C9-871B-2374BE98BF4F} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {28FFBCB3-1C57-4131-971B-6BFE29E31D89} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {291DE429-D72F-4163-9E00-3BDDE93AD131} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {3392C834-A7B7-48ED-9331-473FE1A7155C} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {40E83EB6-3DB4-4A79-ACE9-3E554427F70D} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {4D432F8A-5123-4891-870B-309D37FC82ED} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {562F5F46-299E-4BD5-92CE-C4C9360FF2C6} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {56DDAE1A-3395-4733-81C0-44DAB99EB10F} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {57455A34-74AE-418A-8313-BA817B2D8728} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {5B776524-0628-4C2B-9848-3FA335D367AD} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {5E094DDC-8F59-4521-B99D-A90DA6824608} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {61DDEE34-DF0D-41F5-B429-21F5CA99A9AD} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {6730883D-4ACC-4B08-9958-AF74D700C453} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {6A7CBFBE-3A9C-4D6E-B41E-3116B34B0E2A} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {6B793906-7110-4B00-AB56-FE15BBD6D17A} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {72E7651C-DBEF-4CF0-8743-7E3D30260D2E} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {73CE61E9-BBD6-46DC-8D16-A6F5531430C9} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {7827F2F9-FF82-4603-8D95-752D5EBA7DC2} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {7F349F6C-8C96-4101-B7B9-9C0063C6371D} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {8825E791-2E84-4AEB-9344-551C5E317F6E} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {8E8B0120-9631-4D49-B062-E0655CBB7826} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {961D2532-A60A-4EB0-B2F6-2F6060D0BA22} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {9832E226-9014-439E-BBDA-AD8C3A49C48D} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {A507A281-228D-49F9-A741-C789BFDA59D5} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {A5635DB5-9047-479D-9C74-11DFB8F4DD07} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {A90D6E61-D8B3-4413-8F3B-16CC399F4D65} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {B51A3D4F-F219-4AF0-B5F0-C338D87524E3} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {BCC45928-1F26-4AE6-9231-260D9BA2AF02} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {C09DE07A-9BA9-4520-A401-34874849AD0E} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {C4A0D430-47F9-40AF-B9FA-B716BB5FBFEB} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {C7AD3E44-5006-46B2-931B-A532AC259159} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {D70A1686-F1D4-4134-AC84-ACEEA4427147} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {DB00A15B-E7E5-4CC2-87EF-63E269C116F6} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {DF711A7D-4767-4E4B-A0B5-21881106467C} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {DFF00F25-EB05-486D-A1D0-55A0662C3F5B} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {E02F910D-4514-419D-8B42-16532C365E9C} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {E1A663ED-F463-4A4E-8C15-D492E96DF359} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {E6140108-0ED7-4CDC-9100-228DBD8667AC} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {EB4F09B0-767A-44E2-ADB9-482CE9D3A7A0} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {EBD78C10-1C34-496B-884A-B473281B96A1} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {ED1295F0-DF59-41E4-AF95-A0339AC641E8} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {ED3F6FB5-2B7F-443D-ABD5-6B91DE14EA7D} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {F06E25E3-7466-42B0-B514-EEC3EFDF71AF} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {F8782572-4502-430D-9CA7-8C0FEDD74B0A} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {FC14C95A-8891-4E64-A42F-EE886C611D4E} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {FD4F6FC1-1AE9-4085-8C5A-7305AD1C6A88} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O2 - BHO: (no name) - {FE4CA628-9B55-46CC-BBD0-0DA2CA1A1C53} - C:\Program Files\jbh10e0i\jbh10e0i.dll

O4 - HKLM\..\Run: [r73j34l] wmpud.exe

O4 - HKLM\..\Run: [orlj] C:\WINDOWS\System32\orlj.exe

O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

O4 - HKCU\..\Run: [awstRQJEh] avwave.exe

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1349fcda385fd9...ip/RdxIE601.cab

Close all open windows except for HijackThis and click Fix Checked.

***

Please double-click Killbox.exe to run it.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\orlj.exe
C:\WINDOWS\System32\sysmonnt
c:\windows\system32\lapc.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Make sure to reboot back to save mode.

***

Double click Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
***

Reboot to normal mode.

***

Open notepad and copy and paste next bold in it:

regedit /e search.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"
type search.txt>>look.txt
del search.txt
dir %SystemDrive%\*ndw*lib.dll /a h /s >> look.txt
start notepad look.txt


Save this as look.bat
Choose to save as 'all files' and place it on your desktop.
Now doubleclick on look.bat and it will scan.
Notepad will open afterwards with some text in it, so copy and paste this in your next reply

***

Run this online virus scan:
ActiveScan

Save the results from ActiveScan.

***

Restart your computer in normal mode and please post:
a new HijackThis log
the log from the Ewido scan
the content of the look.txt we created
the log from ActiveScan.


Posted Image
Life is what happens while you're making other plans

#3 Amers

Amers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 20 June 2005 - 09:56 AM

Hi g2i2r4,

Thank you for your response. I have been going through the steps as you requested. However, I am having problems with the Nailfix file I need to download. When I try to open it and unzip, WinZip is giving me the following error:
"Cannot open file: it does not appear to have a valid archive."
I have tried downloading numerous times. I tried saving the file, and then opening it, but that didn't work either. Is there another location that I could get this file from?

Thanks.

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 20 June 2005 - 03:35 PM

I'm checking this with the creator of the fix, please wait till I get back.


Posted Image
Life is what happens while you're making other plans

#5 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 20 June 2005 - 05:13 PM

Please disable your virusscanner for a minute and download the nailfix.
Disconnect from the internet for a minute.
See if you can get it to run now.

After running the nailfix, re-enable the virusscanner.

Let me know if this worked.


Posted Image
Life is what happens while you're making other plans

#6 Amers

Amers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 22 June 2005 - 02:55 PM

Hi,

I have followed your instructions. Below is the information you asked me to provide.

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:44:39 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marsh.com/MarshPortal/PortalMain
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Client Access Service] "C:\PROGRA~1\IBM\CLIENT~1\cwbsvstr.exe
O4 - HKLM\..\Run: [Client Access Help Update] "C:\PROGRA~1\IBM\CLIENT~1\cwbinhlp.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\PROGRA~1\IBM\CLIENT~1\cwbwlwiz.exe
O4 - HKLM\..\Run: [Client Access Check Version] "C:\PROGRA~1\IBM\CLIENT~1\cwbckver.exe LOGIN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.marsh.com/MarshPortal/PortalMain
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: JavaConnect - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://205.247.223.204/main/Install/en/US/...aDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.us.mrshmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LAPC - Unknown owner - c:\windows\system32\lapc.exe (file missing)
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleDesignerClientCache80 - Unknown owner - C:\oracle\Designer\BIN\ONRSD80.EXE
O23 - Service: OracleOra81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE



Log from Ewido Scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:03:01 PM, 6/22/2005
+ Report-Checksum: 806471C2

+ Date of database: 6/20/2005
+ Version of scan engine: v3.0

+ Duration: 73 min
+ Scanned Files: 236025
+ Speed: 53.19 Files/Second
+ Infected files: 102
+ Removed files: 102
+ Files put in quarantine: 102
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\ASINGH07\Cookies\asingh07@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ASINGH07\Cookies\asingh07@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ASINGH07\Cookies\asingh07@html[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ASINGH07\Cookies\asingh07@servedby.netshelter[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-107.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-129.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-135.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-140.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-156.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-179.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-185.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-217.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-316.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-326.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-327.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-346.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-367.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-406.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-430.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-439.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-449.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-461.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-470.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-488.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-496.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-506.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-513.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-527.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-536.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-543.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-548.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-549.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-552.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-580.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-581.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-596.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-610.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-629.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-678.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-691.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-694.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-742.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-749.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-758.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-759.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-763.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-769.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-791.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-794.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-803.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-815.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-826.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-845.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-847.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-891.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-900.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-906.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-957.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050622-123416-966.dll -> Spyware.ClearSearch.u -> Cleaned with backup
C:\Program Files\jbh10e0i\bc9lmm1c.DLL -> Spyware.ClearSearch.t -> Cleaned with backup
C:\Program Files\jbh10e0i\csIEinst.DLL -> Spyware.ClearSearch.t -> Cleaned with backup
C:\Program Files\jbh10e0i\tspvcm5k.DLL -> Spyware.ClearSearch.t -> Cleaned with backup
C:\Program Files\jbh10e0i\v2su0bvg.DLL -> Spyware.ClearSearch.t -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc560.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc561.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc566.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc570.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc572.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc573.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc578.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc588.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc600.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc612.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc616.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc619.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc633.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc639.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc648.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc666.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc674.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2113352187-1365211809-2076119496-37484\Dc682.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\WINDOWS\system32\djvdobd.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\djvdobdndw30103lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\elitejww32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\epx30103.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\system32\orljaeg05.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\rwspxh.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\rwspxhndw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\sysmonnt.exe -> Backdoor.VB.aat -> Cleaned with backup
C:\WINDOWS\system32\thddsdc.exe -> TrojanDownloader.Lastad.i -> Cleaned with backup
C:\WINDOWS\system32\thddsdcndw301lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\xiuqguh.exe -> TrojanDownloader.Lastad.n -> Cleaned with backup
C:\WINDOWS\system32\xiuqguhndw30102lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\yggti.dll -> Spyware.Adstart.c -> Cleaned with backup


::Report End



Contents of look.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"orlj"="C:\\WINDOWS\\System32\\orlj.exe"

Volume in drive C is System
Volume Serial Number is 205B-7A9E

Directory of C:\WINDOWS\system32

04/18/2005 03:11 PM 31,744 hpgnuxbndw30101lib.dll
1 File(s) 31,744 bytes



Log from ActiveScan:

Incident Status Location

Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINDOWS\System32\dsktrf.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\System32\stlb2.xml
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\ASINGH07\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\ASINGH07\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\ASINGH07\Application Data\Sskuknwrd.dll
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\jbh10e0i\g4bdrqpz.DLL
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\lavjpj.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\system32\dsktrf.dll
Adware:Adware/Neededware No disinfected C:\WINDOWS\system32\hpgnuxbndw30101lib.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml

Thank you.

#7 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 22 June 2005 - 03:44 PM

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: JavaConnect - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\JavaConnect.cab

Close HiJackThis.

***

Run Killbox.exe.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\System32\dsktrf.dll
C:\WINDOWS\System32\stlb2.xml
C:\Documents and Settings\ASINGH07\Application Data\Sskcwrd.dll
C:\Documents and Settings\ASINGH07\Application Data\Sskknwrd.dll
C:\Documents and Settings\ASINGH07\Application Data\Sskuknwrd.dll
C:\Program Files\jbh10e0i\g4bdrqpz.DLL
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\lavjpj.exe
C:\WINDOWS\system32\hpgnuxbndw30101lib.dll


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at the PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

***
After your computer reboots, post a new HiJackThis log.

Edited by g2i2r4, 24 June 2005 - 01:50 PM.



Posted Image
Life is what happens while you're making other plans

#8 Amers

Amers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 24 June 2005 - 09:48 AM

Hi,

I have followed your instructions. I performed the steps while no longer being connected to the network. Here is the new HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 10:46:11 AM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marsh.com/MarshPortal/PortalMain
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Client Access Service] "C:\PROGRA~1\IBM\CLIENT~1\cwbsvstr.exe
O4 - HKLM\..\Run: [Client Access Help Update] "C:\PROGRA~1\IBM\CLIENT~1\cwbinhlp.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\PROGRA~1\IBM\CLIENT~1\cwbwlwiz.exe
O4 - HKLM\..\Run: [Client Access Check Version] "C:\PROGRA~1\IBM\CLIENT~1\cwbckver.exe LOGIN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.marsh.com/MarshPortal/PortalMain
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://205.247.223.204/main/Install/en/US/...aDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.us.mrshmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.us.mrshmc.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LAPC - Unknown owner - c:\windows\system32\lapc.exe (file missing)
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleDesignerClientCache80 - Unknown owner - C:\oracle\Designer\BIN\ONRSD80.EXE
O23 - Service: OracleOra81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE

#9 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 24 June 2005 - 01:52 PM

How is your computer running now?


Posted Image
Life is what happens while you're making other plans

#10 Amers

Amers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 24 June 2005 - 03:38 PM

Hi,

My computer is running fine. :thumbsup:

It's nice not to get any more popups. I appreciate all the help.

Thank you so much for your assistance. :flowers:

#11 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:42 AM

Posted 24 June 2005 - 04:20 PM

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users