Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
9 replies to this topic

#1 LeBoW120

LeBoW120

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 02 August 2005 - 09:24 PM

Hi there,

I've recently posted regarding my problems with my computer.
Thank you for your response and below is my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 03:18:33, on 03/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\WINDOWS\System32\gsicon.exe
E:\WINDOWS\System32\dslagent.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\ISTsvc\istsvc.exe
E:\WINDOWS\ywmcjyh.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\Program Files\AOL 8.0a\waol.exe
E:\Program Files\AOL 8.0a\shellmon.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Adam\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [1EC.tmp] E:\DOCUME~1\Adam\LOCALS~1\Temp\1EC.tmp.exe 0 28129
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SysTime] E:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PTDGxK] E:\WINDOWS\ywmcjyh.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = E:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\flsmngr.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://198.88.20.155/targ.chm::/win32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/336//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4F32DF2-F4AB-4EF9-BAEC-B6F8ABC47536}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

I appreciate your assistance

Thank you.

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:31 AM

Posted 03 August 2005 - 12:32 PM

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed close the Ewido program.

Reboot your computer into Safe Mode

Once in safe mode, start Ewido and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report.txt file to your desktop.
Now close ewido security suite.

Reboot back to normal mode, open report.txt and post it as a reply to this post along with a new hijackthis log.

#3 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 03 August 2005 - 11:04 PM

Hi there.

Here's the Hijack This and Ewido scan report you asked for.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 04:53:58, 04/08/2005
+ Report-Checksum: E79850F0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{04D2569C-ED83-79FB-0E43-F43DFA258774} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1486290A-90C1-388F-ADC8-6BFAA6B057E8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{197A8D26-DFA5-F761-1F4B-4A8703447597} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3DEC1087-78B1-61BE-CDC9-914B5A17E085} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4095AAF5-BAD2-A97D-D64C-566A52E35C2E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4AD64CAF-CC40-779E-C47E-E23705C41C75} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4F8E9FA5-37E2-683E-E18D-19AC6697532D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4FC7118F-CEC2-4822-4FA2-BD496C690A0C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7DA446BF-5485-78F9-CC9A-2A02C93519E4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8007F30A-ADD5-7E61-D29C-8F166BC8A3DD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9913F006-5621-D9B4-E3CB-064477E8D278} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EA8D7DFA-04BF-99E7-595C-535DC7F0EFBA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EF24BEB1-9592-9F8F-4B29-99399FD2C231} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F7DFCD4F-46CD-BDA8-264C-0A68205F4979} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\ISTsvc\history -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11010101-1001-1111-1000-110112345678} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1229272821-220523388-725345543-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
[444] E:\WINDOWS\System32\flsmngr.dll -> Spyware.Searcher : Cleaned with backup
E:\data -> TrojanDownloader.IstBar.kc : Cleaned with backup
E:\Documents and Settings\All Users\Application Data\SecTaskMan\etat.exe.q_887601_q -> Spyware.PurityScan : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@service.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
E:\Program Files\BT Voyager 100 ADSL Modem\DslDrv\UserDiag.exe -> Heuristic.Win32.Dialer : Cleaned with backup
E:\Program Files\iMesh\Client\DatingCity\DCInstaller.exe -> Spyware.DatingCity : Cleaned with backup
E:\Program Files\ISTsvc\istsvc.exe -> TrojanDownloader.IstBar : Cleaned with backup
E:\WINDOWS\bootstat.dat:mwegy -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\bootstat.dat:oyspf -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\bzxuf.log:twqukm -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\Coffee Bean.bmp:kxuwt -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\DtcInstall.log:ixzle -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\explorer.scf:vqxpp -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\FeatherTexture.bmp:cptdb -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\hh.exe:fjeny -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\nsw.log:ewpoq -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\n_cvdabv.txt:rycqj -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\n_cvdabv.txt:trwxdo -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\n_dlgwld.dat:lshcxr -> Trojan.Agent.bi : Cleaned with backup
E:\WINDOWS\n_ghhneg.txt:zixuxn -> Trojan.Agent.bi : Cleaned with backup
E:\WINDOWS\ODBCINST(10)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(10).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(11).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(12).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(13).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(14).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(15).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(16).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(17).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(18).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(20).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(21)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(21)(3).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(21)(4).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(21)(5).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(21).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(22).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(23).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(24)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(24)(3).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(24)(4).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(24)(5).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(24).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(25).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(26).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(27)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(27)(3).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(27)(4).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(27)(5).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(27).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(28).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(29).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(3).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(30)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(30)(3).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(30)(4).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(30)(5).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(30).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(31).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(32).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(33).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(34).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(35).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(36).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(37).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(38).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(4).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(5).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(6).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(7).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(8).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(9)(2).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\ODBCINST(9).INI:rfuof -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\SchedLgU.Txt:azmri -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\sessmgr.setup.log:lucsl -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\Sti_Trace.log:whpia -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\system.ini:wyikd -> TrojanDownloader.Agent.jb : Cleaned with backup
E:\WINDOWS\system32\flsmngr.dll -> Spyware.Searcher : Cleaned with backup
E:\WINDOWS\system32\iasada.dll -> Spyware.AzSearch : Cleaned with backup
E:\WINDOWS\system32\P2P Networking\MARSHAL.DLL -> Spyware.P2PNetworking : Cleaned with backup
E:\WINDOWS\wmsetup.log:lgmxe -> TrojanDownloader.Agent.bc : Cleaned with backup
E:\WINDOWS\WORDPAD.INI:hwwxaz -> Trojan.Feat.2 : Cleaned with backup
E:\WINDOWS\ywmcjyh.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
E:\WINDOWS\_default.pif:laskh -> TrojanDownloader.Agent.jb : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 04:58:42, on 04/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\wanmpsvc.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\WINDOWS\System32\gsicon.exe
E:\WINDOWS\System32\dslagent.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\SpywareGuard\sgmain.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\AOL 8.0a\waol.exe
E:\Program Files\AOL 8.0a\shellmon.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [1EC.tmp] E:\DOCUME~1\Adam\LOCALS~1\Temp\1EC.tmp.exe 0 28129
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SysTime] E:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PTDGxK] E:\WINDOWS\ywmcjyh.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = E:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://198.88.20.155/targ.chm::/win32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/336//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4F32DF2-F4AB-4EF9-BAEC-B6F8ABC47536}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe



Thanks for your assistance.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:31 AM

Posted 04 August 2005 - 09:25 AM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\jamti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [1EC.tmp] E:\DOCUME~1\Adam\LOCALS~1\Temp\1EC.tmp.exe 0 28129
O4 - HKLM\..\Run: [SysTime] E:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PTDGxK] E:\WINDOWS\ywmcjyh.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = E:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://198.88.20.155/targ.chm::/win32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/336//main.chm::/update.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

E:\DOCUME~1\Adam\LOCALS~1\Temp\1EC.tmp.exe
E:\WINDOWS\System32\systime.exe
E:\Program Files\ISTsvc\
E:\WINDOWS\ywmcjyh.exe
c:\ied_s7.cab
c:\x.cab
c:\eied_s7.cab
c:\ex.cab

Reboot your computer to go back to normal mode and post a new log.

#5 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 10 August 2005 - 02:52 AM

Hello.

I've followed your instructions and here is my new log:


Logfile of HijackThis v1.99.1
Scan saved at 08:49:05, on 10/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\wanmpsvc.exe
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\WINDOWS\System32\gsicon.exe
E:\WINDOWS\System32\dslagent.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SpywareGuard\sgbhp.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\Program Files\AOL 8.0a\waol.exe
E:\Program Files\AOL 8.0a\shellmon.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijack This\HijackThis.exe
E:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program

Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0a\aoltray.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program

Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4F32DF2-F4AB-4EF9-BAEC-B6F8ABC47536}: NameServer = 152.163.0.26

205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{5402B4C8-E9C7-40EF-8865-2B251B0BCAB6}: NameServer = 205.188.146.145
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL

Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe


Cheers.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:31 AM

Posted 10 August 2005 - 04:46 PM

Fix these:

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Reboot and post a new log

#7 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 15 August 2005 - 05:24 AM

I've followed your instructions and here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:20:36, on 15/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\gsicon.exe
E:\WINDOWS\System32\dslagent.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
E:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
e:\program files\mcafee.com\agent\mcagent.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\SpywareGuard\sgbhp.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Hijack This\HijackThis.exe
E:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program

Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0a\aoltray.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program

Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL

Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

Cheers for the help.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:31 AM

Posted 15 August 2005 - 05:23 PM

Download the attached zip file and unzip it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When done, reboot and Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#9 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 18 August 2005 - 09:25 AM

Here's the scan you asked me to do:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 30/06/2005 17:27:36 84642 E:\WINDOWS\n_ymmwja.txt
UPX! 03/05/2005 11:44:44 25157 E:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 16:17:24 170053 E:\WINDOWS\tsc.exe

Checking %System% folder...
PEC2 29/08/2002 03:41:04 59252 E:\WINDOWS\SYSTEM32\ansi.cfg
PEC2 18/08/2001 13:00:00 41397 E:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 10/12/2003 16:36:10 238080 E:\WINDOWS\SYSTEM32\DivXdec.ax
UPX! 11/07/2005 23:47:48 32256 E:\WINDOWS\SYSTEM32\pxjmoaaa.exe
Umonitor 29/08/2002 03:41:10 631808 E:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 24/04/2005 17:31:58 281232 E:\WINDOWS\SYSTEM32\trjscan.trb
aspack 18/04/2005 01:27:40 351368 E:\WINDOWS\SYSTEM32\trupd.trb
winsync 18/08/2001 13:00:00 1309184 E:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 03/08/2005 06:13:52 47616 E:\WINDOWS\SYSTEM32\__delete_on_reboot__flsmngr.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 30/06/2005 13:36:26 54156 E:\WINDOWS\QTFont.qfn
H 01/08/2005 19:33:14 65 E:\WINDOWS\Downloaded Program Files\desktop.ini
H 10/08/2005 12:53:04 10820 E:\WINDOWS\Help\nocontnt.GID
H 02/08/2005 04:12:22 10820 E:\WINDOWS\Help\update.GID
H 11/08/2005 19:49:34 0 E:\WINDOWS\inf\oem6.inf
H 11/08/2005 19:52:34 0 E:\WINDOWS\inf\oem7.inf
H 01/08/2005 19:33:14 65 E:\WINDOWS\Offline Web Pages\desktop.ini
H 18/08/2005 04:18:02 31769 E:\WINDOWS\system32\vsconfig.xml
H 18/08/2005 15:09:54 8192 E:\WINDOWS\system32\config\default.LOG
H 18/08/2005 15:10:22 1024 E:\WINDOWS\system32\config\SAM.LOG
H 18/08/2005 15:10:02 16384 E:\WINDOWS\system32\config\SECURITY.LOG
H 18/08/2005 15:11:14 73728 E:\WINDOWS\system32\config\software.LOG
H 18/08/2005 15:10:04 806912 E:\WINDOWS\system32\config\system.LOG
SH 11/08/2005 04:52:26 388 E:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a13a8ba5-8651-464a-af0f-97a1f540ab8d
SH 11/08/2005 04:52:26 24 E:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 11/08/2005 19:49:42 13698 E:\WINDOWS\system32\Restore\filelist.xml
H 18/08/2005 06:13:02 6 E:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 18/08/2001 13:00:00 66048 E:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 03:41:28 578560 E:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 03:41:28 129024 E:\WINDOWS\SYSTEM32\desk.cpl
GlobespanVirata, Inc. 14/05/2003 20:39:54 290816 E:\WINDOWS\SYSTEM32\gsi.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 E:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 23/12/2003 15:40:52 57344 E:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 07:14:40 292352 E:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 03:41:28 121856 E:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 03:41:28 65536 E:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 E:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 E:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 E:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 E:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 E:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 E:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 17/05/2002 18:04:56 45154 E:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 E:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 09/12/2004 23:15:10 24576 E:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 23/09/2004 18:57:40 323072 E:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 29/08/2002 03:41:28 268288 E:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 E:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 E:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 E:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 E:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 03:41:28 578560 E:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 03:41:28 129024 E:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 E:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 07:14:40 292352 E:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 03:41:28 121856 E:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 03:41:28 65536 E:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 E:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 E:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 E:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 E:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 E:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 E:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 E:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 03:41:28 147456 E:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 03:41:28 268288 E:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 E:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 E:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
09/12/2004 23:15:48 743 E:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 8.0 Tray Icon.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
12/07/2005 01:26:16 656 E:\Documents and Settings\Adam\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = E:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= e:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= e:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
= "E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = E:\Program Files\SpywareGuard\dlprotect.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = E:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : e:\progra~1\mcafee.com\vso\mcvsshl.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : e:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : E:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{57F02779-3D88-4958-8AD3-83C12D86ADC7} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : e:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
GSICONEXE gsicon.exe
DSLAGENTEXE dslagent.exe USB
ATIPTA E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
RealTray E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
AOL Spyware Protection "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
QuickTime Task "E:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck E:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
VSOCheckTask "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
MCAgentExe e:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe E:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
McRegWiz e:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = E:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = E:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18/08/2005 15:17:56


Cheers.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:31 AM

Posted 20 August 2005 - 11:25 PM

Reboot into safe mode and delete the following files:

E:\WINDOWS\n_ymmwja.txt
E:\WINDOWS\SYSTEM32\pxjmoaaa.exe
E:\WINDOWS\SYSTEM32\__delete_on_reboot__flsmngr.dll

Reboot and post a new log hijackthis log and tell me if your computer is better




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users