Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - astrovoyager


  • This topic is locked This topic is locked
6 replies to this topic

#1 astrovoyager

astrovoyager

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 27 July 2005 - 01:49 PM

Problems with lop, Searchweb2, adding favourites that cannot be deleted e.g. Cool Stuff, thick blue menu bar with drop down menus that cannot be removed


Logfile of HijackThis v1.99.1
Scan saved at 19:46:30, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pvpxhaifyecgvrsoiqckxbhpx.com/6...A13H2V/JUc.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omwgmrfmfmdpyblxellcwvjh.uk/6a57HBw...SxpkSRwJh8.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F8D87E19-C5A8-4F94-0309-DFBDE5365372} - C:\DOCUME~1\user\APPLIC~1\BROWSE~1\LOGO ROAD.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Peak dog online inside] C:\Documents and Settings\All Users\Application Data\Software Mpeg Peak Dog\extra dead.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [COAL OPTION FRAG FIVE] C:\Documents and Settings\All Users\Application Data\internet idol coal option\plan tool.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [THEINTERNET] C:\DOCUME~1\user\APPLIC~1\PEAKMA~1\EqGrey.exe
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11ddd82187daa5ed5c06/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you,
Astrovoyager

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:56 AM

Posted 28 July 2005 - 01:13 AM

Hello,

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pvpxhaifyecgvrsoiqckxbhpx.com/6...A13H2V/JUc.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omwgmrfmfmdpyblxellcwvjh.uk/6a57HBw...SxpkSRwJh8.html
O2 - BHO: (no name) - {F8D87E19-C5A8-4F94-0309-DFBDE5365372} - C:\DOCUME~1\user\APPLIC~1\BROWSE~1\LOGO ROAD.exe
O4 - HKLM\..\Run: [Peak dog online inside] C:\Documents and Settings\All Users\Application Data\Software Mpeg Peak Dog\extra dead.exe
O4 - HKLM\..\Run: [COAL OPTION FRAG FIVE] C:\Documents and Settings\All Users\Application Data\internet idol coal option\plan tool.exe
O4 - HKCU\..\Run: [THEINTERNET] C:\DOCUME~1\user\APPLIC~1\PEAKMA~1\EqGrey.exe
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11ddd82187daa5ed5c06/...ip/RdxIE601.cab


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following folders, and delete them if still present:

C:\Documents and Settings\user\Application Data\BROWSE.. <== this folder, starts with these letters.
C:\Documents and Settings\All Users\Application Data\Software Mpeg Peak Dog
C:\Documents and Settings\All Users\Application Data\internet idol coal option
C:\Documents and Settings\user\Application Data\PEAKMA.. <== this folder, starts with these letters.

* Reboot your system back to normal mode.

* Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick on op findjobs.bat and post the content of the txtfile you get in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:56 AM

Posted 18 August 2005 - 07:46 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:56 AM

Posted 22 August 2005 - 01:05 PM

Reopened.

Please perform my above steps and post the logs I asked afterwards. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:56 AM

Posted 23 August 2005 - 05:18 PM

Hi, you asked me two days ago to reopen your thread. I still don't see the logs I want to see though.

I'll leave this thread open for another two days and then I'm closing it again.
You have to understand, when we post instructions it's to help you to get rid of your problem. When there is no response anymore, we assume that the problem is fixed, that's why we are closing it after a while.

If you can't reply or know you have to go away, it's also good you post this before, so we know you are still working on it and our fix wasn't placed here for nothing. Thank you. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 astrovoyager

astrovoyager
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 25 August 2005 - 03:02 AM

Hi, please see Findjobs posted below, and following that, my latest HijackThis log:

Volume in drive C has no label.
Volume Serial Number is E4A5-5621

Directory of C:\WINDOWS\tasks

24/08/2005 11:56 <DIR> .
24/08/2005 11:56 <DIR> ..
24/08/2005 22:00 264 A0210CFB91DA83B3.job
24/08/2005 22:00 264 A0AA9DB3911D0E47.job
24/08/2005 22:00 264 A2CEBDE791A93A97.job
24/08/2005 22:00 264 A3FD1DAF9092912B.job
24/08/2005 22:00 264 A4A4F94E91BB73AA.job
24/08/2005 22:00 264 A5A31860918493F0.job
24/08/2005 22:00 264 A5D498A4914F0E0C.job
24/08/2005 22:00 264 A78AC93491854620.job
24/08/2005 22:00 264 A7F45E99910FD63D.job
24/08/2005 22:00 264 A82F4E9791B0C7A7.job
24/08/2005 22:00 264 A8357091918EE791.job
24/08/2005 22:00 268 A8DDD51091FA5200.job
24/08/2005 22:00 264 A8E69A7A918D10B6.job
24/08/2005 22:00 264 A905C20591D67E35.job
24/08/2005 22:00 264 A9513EFD91AAB6A1.job
24/08/2005 22:00 260 AA0B40C09184F588.job
24/08/2005 22:00 264 AA134C899180C16D.job
24/08/2005 22:00 264 AA29D488911A4A84.job
24/08/2005 22:00 264 AA772CCB91BCA633.job
24/08/2005 22:00 268 AA8B3B489180AFB4.job
24/08/2005 22:00 268 AA937C599180F0BD.job
24/08/2005 22:00 232 AA9B9DCD91841225.job
24/08/2005 22:00 268 AAA262B291861706.job
24/08/2005 22:00 268 AAA9C63591867A9D.job
24/08/2005 22:00 264 AAAE8E58918102B8.job
24/08/2005 22:00 264 AAD49EAF91F7178F.job
24/08/2005 22:00 268 AAFEB63C91B92A84.job
24/08/2005 22:00 264 AB3BAD709180234C.job
24/08/2005 22:00 268 AB5AF3CB91116A5F.job
24/08/2005 22:00 264 ABBD2B2B918AA0A3.job
24/08/2005 22:00 260 ABCD7018918EE50C.job
24/08/2005 22:00 264 ABCFAB2091802020.job
24/08/2005 22:00 264 ABDD0A649186BF90.job
24/08/2005 22:00 264 ABFA5FB991A9D629.job
24/08/2005 22:00 264 AC29A0D1918653B9.job
24/08/2005 22:00 264 AC2A09CC9181BCA8.job
24/08/2005 22:00 264 AC325AAA9181CDAE.job
24/08/2005 22:00 268 AC4675ED9181E895.job
24/08/2005 22:00 232 AC91B9E391862C43.job
24/08/2005 22:00 268 ACA8725A91BFECA6.job
24/08/2005 22:00 264 ACC0E90591DB9B61.job
24/08/2005 22:00 264 ACE28F4C9185019C.job
24/08/2005 22:00 264 ACF04E94918BC0D4.job
24/08/2005 22:00 264 AD0605D29181B99A.job
24/08/2005 22:00 268 AD22F20C91816610.job
24/08/2005 22:00 268 AD520C249181BFD8.job
24/08/2005 22:00 260 AD52AA5191815DF5.job
24/08/2005 22:00 264 AD65B5BD91862941.job
24/08/2005 22:00 264 AD6F5C4F9188D017.job
24/08/2005 22:00 264 AD856C6A91FAE53E.job
24/08/2005 22:00 268 AD9DC0139186734F.job
24/08/2005 22:00 268 ADCC442691C7F762.job
24/08/2005 22:00 268 ADDA2FCA9181A2E6.job
24/08/2005 22:00 264 AE1303CB91D8B96B.job
24/08/2005 22:00 264 AEA64A0491A1FA8C.job
24/08/2005 22:00 264 AEAE6C2C918A1C88.job
24/08/2005 22:00 268 AEEA3BB99191ABF5.job
24/08/2005 22:00 264 AEF636C19181A719.job
24/08/2005 22:00 264 AFBB949E91840616.job
24/08/2005 22:00 268 B12E20AA91CDD63E.job
24/08/2005 22:00 268 B1331AF291DC8BDE.job
24/08/2005 22:00 264 B16DA114911E57F4.job
24/08/2005 22:00 264 B2F8CED8915B443C.job
24/08/2005 22:00 264 B4775B4890F0C598.job
24/08/2005 22:00 264 B61118EA91D681AA.job
24/08/2005 22:00 268 BF74DD86901F7DCE.job
29/08/2002 13:00 65 desktop.ini
19/06/2004 19:34 258 Disk Cleanup.job
25/08/2005 08:40 6 SA.DAT
24/08/2005 21:41 362 Symantec NetDetect.job
70 File(s) 18,111 bytes

Directory of C:\Documents and Settings\user\Desktop



Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 09:38:22, on 24/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vasqcydnzl.net/6a57HBwsjjp3/o99...A13H2V/JUc.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [COAL OPTION FRAG FIVE] C:\Documents and Settings\All Users\Application Data\internet idol coal option\Store Style.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [THEINTERNET] C:\DOCUME~1\user\APPLIC~1\PEAKMA~1\EqGrey.exe
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:56 AM

Posted 25 August 2005 - 06:18 AM

Ok, let's deal with it now...
First of all, I strongly suggest you uninstall Starware because it brings spyware with it.

Reboot after uninstalling starware!


* Download Killbox.
Unzip it and Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold (so copy this entire list in once):

C:\WINDOWS\tasks\A0210CFB91DA83B3.job
C:\WINDOWS\tasks\A0AA9DB3911D0E47.job
C:\WINDOWS\tasks\A2CEBDE791A93A97.job
C:\WINDOWS\tasks\A3FD1DAF9092912B.job
C:\WINDOWS\tasks\A4A4F94E91BB73AA.job
C:\WINDOWS\tasks\A5A31860918493F0.job
C:\WINDOWS\tasks\A5D498A4914F0E0C.job
C:\WINDOWS\tasks\A78AC93491854620.job
C:\WINDOWS\tasks\A7F45E99910FD63D.job
C:\WINDOWS\tasks\A82F4E9791B0C7A7.job
C:\WINDOWS\tasks\A8357091918EE791.job
C:\WINDOWS\tasks\A8DDD51091FA5200.job
C:\WINDOWS\tasks\A8E69A7A918D10B6.job
C:\WINDOWS\tasks\A905C20591D67E35.job
C:\WINDOWS\tasks\A9513EFD91AAB6A1.job
C:\WINDOWS\tasks\AA0B40C09184F588.job
C:\WINDOWS\tasks\AA134C899180C16D.job
C:\WINDOWS\tasks\AA29D488911A4A84.job
C:\WINDOWS\tasks\AA772CCB91BCA633.job
C:\WINDOWS\tasks\AA8B3B489180AFB4.job
C:\WINDOWS\tasks\AA937C599180F0BD.job
C:\WINDOWS\tasks\AA9B9DCD91841225.job
C:\WINDOWS\tasks\AAA262B291861706.job
C:\WINDOWS\tasks\AAA9C63591867A9D.job
C:\WINDOWS\tasks\AAAE8E58918102B8.job
C:\WINDOWS\tasks\AAD49EAF91F7178F.job
C:\WINDOWS\tasks\AAFEB63C91B92A84.job
C:\WINDOWS\tasks\AB3BAD709180234C.job
C:\WINDOWS\tasks\AB5AF3CB91116A5F.job
C:\WINDOWS\tasks\ABBD2B2B918AA0A3.job
C:\WINDOWS\tasks\ABCD7018918EE50C.job
C:\WINDOWS\tasks\ABCFAB2091802020.job
C:\WINDOWS\tasks\ABDD0A649186BF90.job
C:\WINDOWS\tasks\ABFA5FB991A9D629.job
C:\WINDOWS\tasks\AC29A0D1918653B9.job
C:\WINDOWS\tasks\AC2A09CC9181BCA8.job
C:\WINDOWS\tasks\AC325AAA9181CDAE.job
C:\WINDOWS\tasks\AC4675ED9181E895.job
C:\WINDOWS\tasks\AC91B9E391862C43.job
C:\WINDOWS\tasks\ACA8725A91BFECA6.job
C:\WINDOWS\tasks\ACC0E90591DB9B61.job
C:\WINDOWS\tasks\ACE28F4C9185019C.job
C:\WINDOWS\tasks\ACF04E94918BC0D4.job
C:\WINDOWS\tasks\AD0605D29181B99A.job
C:\WINDOWS\tasks\AD22F20C91816610.job
C:\WINDOWS\tasks\AD520C249181BFD8.job
C:\WINDOWS\tasks\AD52AA5191815DF5.job
C:\WINDOWS\tasks\AD65B5BD91862941.job
C:\WINDOWS\tasks\AD6F5C4F9188D017.job
C:\WINDOWS\tasks\AD856C6A91FAE53E.job
C:\WINDOWS\tasks\AD9DC0139186734F.job
C:\WINDOWS\tasks\ADCC442691C7F762.job
C:\WINDOWS\tasks\ADDA2FCA9181A2E6.job
C:\WINDOWS\tasks\AE1303CB91D8B96B.job
C:\WINDOWS\tasks\AEA64A0491A1FA8C.job
C:\WINDOWS\tasks\AEAE6C2C918A1C88.job
C:\WINDOWS\tasks\AEEA3BB99191ABF5.job
C:\WINDOWS\tasks\AEF636C19181A719.job
C:\WINDOWS\tasks\AFBB949E91840616.job
C:\WINDOWS\tasks\B12E20AA91CDD63E.job
C:\WINDOWS\tasks\B1331AF291DC8BDE.job
C:\WINDOWS\tasks\B16DA114911E57F4.job
C:\WINDOWS\tasks\B2F8CED8915B443C.job
C:\WINDOWS\tasks\B4775B4890F0C598.job
C:\WINDOWS\tasks\B61118EA91D681AA.job
C:\Documents and Settings\All Users\Application Data\internet idol coal option\Store Style.exe
C:\DOCUME~1\user\APPLIC~1\PEAKMA~1\EqGrey.exe
C:\WINDOWS\tasks\BF74DD86901F7DCE.job


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

After reboot..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [COAL OPTION FRAG FIVE] C:\Documents and Settings\All Users\Application Data\internet idol coal option\Store Style.exe
O4 - HKCU\..\Run: [THEINTERNET] C:\DOCUME~1\user\APPLIC~1\PEAKMA~1\EqGrey.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following folders, and delete them if still present:

C:\Documents and Settings\All Users\Application Data\internet idol coal option
C:\Documents and Settings\user\Application Data\PEAKMA... <== this folder, starts with these letters
C:\Program Files\Starware

Reboot again!!

Then, doubleclick Findjobs.bat again and post the log you get together with a new hijackthislog in your next reply. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users