Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log seeks analyzation


  • Please log in to reply
7 replies to this topic

#1 shalaby

shalaby

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 22 August 2005 - 04:18 PM

hy, all
my pc has lately gone kinda wild poppin up with ads and such, changing starting page frequently, creating desktop icons and the worst, is somehow suspect something to eat up my hard drive space...
already used spybot & adaware but something's still alive...

so could you please help me out?
oh, and don't take it personal if hijack is in a strangely named folder, thats where I drop almost every download :-)

Logfile of HijackThis v1.99.1
Scan saved at 23:13:13, on 22.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programme\GhostSurf 2005\DeleteSvc.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Program Files\Omnbve\Coareg.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\WINNT\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\Szkokan\Eigene Dateien\Sko's room\random bleep\hijack_this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cytuawvadowaxkjzuzpsfqefo.biz/Z...XbRdwV/Ahr.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Programme\GhostSurf 2005\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1105A398-A495-7DA1-8F48-FD559CDC3EDA} - C:\DOKUME~1\Szkokan\ANWEND~1\campdeaf\manager bike.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Oakghkk] C:\Program Files\Omnbve\Coareg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [qzqm] C:\PROGRA~1\COMMON~1\qzqm\qzqmm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Ooze Way] C:\DOKUME~1\Szkokan\ANWEND~1\CREATI~1\Ballclock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Programme\GhostSurf 2005\DeleteSvc.exe

thanks in advance!

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 24 August 2005 - 12:25 PM

Hello shalaby and welcome to the BC HijackThis forum. It looks like there is a LOP infection here. This comes from installing Messenger Plus which includes a LOP installer in the MP installation. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Remove these installed programs using Add or Remove Programs in the Control Panel:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
MessengerPlus! 3
Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cytuawvadowaxkjzuzpsfqefo.biz/Z...XbRdwV/Ahr.html
O2 - BHO: (no name) - {1105A398-A495-7DA1-8F48-FD559CDC3EDA} - C:\DOKUME~1\Szkokan\ANWEND~1\campdeaf\manager bike.exe
O4 - HKLM\..\Run: [Oakghkk] C:\Program Files\Omnbve\Coareg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [qzqm] C:\PROGRA~1\COMMON~1\qzqm\qzqmm.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Ooze Way] C:\DOKUME~1\Szkokan\ANWEND~1\CREATI~1\Ballclock.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Dokumente und Einstellungen\Szkokan\ANWEND~1 (a folder whose name begins with ANWEND)\campdeaf\ <--folder
C:\Dokumente und Einstellungen\Szkokan\ANWEND~1 (a folder whose name begins with ANWEND)\CREATI~1 (a folder whose name begins with CREATI)\ <--folder
C:\Program Files\Omnbve\ <--folder
C:\PROGRAM FILES\COMMON FILES\qzqm\ <--folder
C:\Programme\MessengerPlus! 3\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 shalaby

shalaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 26 August 2005 - 06:44 PM

thanks, this worked quite well so far, it even got me 7 gig free :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 01:35:06, on 27.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Programme\GhostSurf 2005\DeleteSvc.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Szkokan\Eigene Dateien\Sko's room\random bleep\hijack_this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Programme\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Programme\GhostSurf 2005\DeleteSvc.exe


is the log

but xostspy finds 3 things that even show up again if I manage to delete them:
small.sn , registry key, spyware /windows/currentversion/uninstall/rotue
2o7.net cookie, file , dataminer
istbar , folder , malware <-------- this doesn't exist anymore , he still finds it
cws.homepage, host file item , browser hijacker <-------- don'T know how to deal with this

and thanks for your great help!

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 27 August 2005 - 02:12 PM

Hi shalaby. The HijackThis log looks clean. Good job!

I have never used XoftSpy so I cannot vouch for its effectiveness. Let's try a different free scanner that we use quite frequently that is one of the best I have seen.

Download and install the trial version of the ewido security suite. Update the program and then close it.

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Post the log from ewido back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 shalaby

shalaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 28 August 2005 - 03:44 PM

did so and removed a few things, so there is no log

but everytime I restart and let a programm scan for bad things, at least one cookie is found,even though I haven't used internetexplorer , so there has to be something hiding and messin around.
allthough ewido, ad aware or spybot don't find it, xoftspy still finds something called:
cws.homepage and declares it as a browswer hijacker, a host file item under the name mp3u.com

but xoftspy only shows and doesn't solve the problem, can you once more? :thumbsup:

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 29 August 2005 - 12:49 AM

Hi shalaby. Xoftspy might just be quirky. Let's look at a different scanner and if it doesn't show anything then I would just ignore the Xoftspy scan.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 shalaby

shalaby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 30 August 2005 - 09:04 AM

ok here it goes:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
SAHAgent 23.05.2005 15:45:48 35 C:\WINNT\SYSTEM32\3unqpm4k.ini
SAHAgent 23.05.2005 15:45:48 35 C:\WINNT\SYSTEM32\cjfms8t4.ini
PEC2 18.08.2001 12:00:00 41118 C:\WINNT\SYSTEM32\dfrg.msc
SAHAgent 19.06.2005 11:48:38 3525 C:\WINNT\SYSTEM32\leoapa7h.ini
PECompact2 05.08.2005 03:31:56 1457496 C:\WINNT\SYSTEM32\MRT.exe
aspack 05.08.2005 03:31:56 1457496 C:\WINNT\SYSTEM32\MRT.exe
aspack 04.08.2004 09:57:08 733696 C:\WINNT\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 09:57:32 686592 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 18.08.2001 12:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINNT\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30.08.2005 15:54:06 S 2048 C:\WINNT\bootstat.dat
08.07.2005 16:23:28 S 12143 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
19.07.2005 19:18:04 S 18913 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
02.07.2005 10:18:08 S 9445 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat
30.08.2005 15:53:54 H 8192 C:\WINNT\system32\config\default.LOG
30.08.2005 15:54:22 H 1024 C:\WINNT\system32\config\SAM.LOG
30.08.2005 15:54:08 H 16384 C:\WINNT\system32\config\SECURITY.LOG
30.08.2005 15:54:24 H 57344 C:\WINNT\system32\config\software.LOG
30.08.2005 15:54:16 H 897024 C:\WINNT\system32\config\system.LOG
10.08.2005 19:01:16 H 1024 C:\WINNT\system32\config\systemprofile\NTUSER.DAT.LOG
30.08.2005 15:52:54 H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINNT\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINNT\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINNT\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINNT\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINNT\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 08.04.2004 14:12:42 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINNT\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINNT\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINNT\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINNT\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
25.03.2004 12:20:02 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
30.06.2004 15:29:24 1710 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
25.03.2004 12:12:46 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
25.03.2004 12:20:02 HS 84 C:\Dokumente und Einstellungen\Szkokan\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
25.03.2004 12:12:46 HS 62 C:\Dokumente und Einstellungen\Szkokan\Anwendungsdaten\desktop.ini
21.11.2004 22:51:06 24848 C:\Dokumente und Einstellungen\Szkokan\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Virus-Killer
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
ButtonText = ICQ Pro : C:\PROGRA~1\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Seticon C:\Program Files\Icons\Seticon.exe
ATIPTA C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
RemoteControl C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
NeroFilterCheck C:\WINNT\system32\NeroCheck.exe
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
Mirabilis ICQ C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINNT\system32\ctfmon.exe
MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background
msnmsgr "C:\Programme\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 30.08.2005 16:01:16

AND

Logfile of HijackThis v1.99.1
Scan saved at 16:05:31, on 30.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINNT\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Szkokan\Eigene Dateien\Sko's room\random bleep\hijack_this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Unknown owner - C:\Programme\GhostSurf 2005\DeleteSvc.exe (file missing)

can't thank you enough!

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 31 August 2005 - 09:40 AM

Hi shalaby. Everything looks good in both logs. If there is a specific file that XoftSpy names you can go to http://virusscan.jotti.org and have it scanned but if it's not naming any particular file then I think it is just confused.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should definitely have a good antivirus to stop infections before they can start and spread. Here are 3 free anti-virus programs that are available for personal use (I use each of these on various machines and they are all good):You should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users