Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpySheriff now TopNetSearch!?


  • This topic is locked This topic is locked
13 replies to this topic

#1 spd

spd

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 12 September 2005 - 09:04 PM

I almost got SpySheriff off, then I was invaded by TopNetSearch- and I'm getting these porno emails being sent from my? pc? I can't take much more of this.
Thank you in advance for your expert advice.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:30 PM, on 9/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINXP\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINXP\System32\kernels32.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\WINXP\System32\maxd1.exe
C:\WINXP\System32\devldr32.exe
C:\WINXP\System32\vxgamet1.exe
C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe
C:\WINXP\System32\vxgame2.exe
C:\Program Files\tsps\bsos.exe
C:\WINXP\System32\vxgame4.exe
C:\WINXP\System32\vxgame4.exe
C:\WINXP\System32\rundll32.exe
C:\WINXP\System32\w?nword.exe
C:\WINXP\System32\sysvcs.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\SCOTT~1.MAG\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINXP\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.semafx.net/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINXP\System32\kernels32.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINXP\System32\zolker010.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINXP\System32\ztoolb010.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINXP\System32\ztoolb010.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [System] C:\WINXP\System32\kernels32.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINXP\cpu.dll,load
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINXP\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINXP\System\svchost.exe /s
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Otae] C:\Program Files\tsps\bsos.exe
O4 - HKCU\..\Run: [Giz] C:\WINXP\System32\w?nword.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINXP\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINXP\System32\sysvcs.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_website.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4725
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: Adobe Photoshop 7.0 - {015FF6B1-3E41-0F00-631C-BDA77F991C68} - c:\program files\adobe\photoshop 7.0\kveew32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINXP\System32\kobhhinb.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINXP\System32\bbemeqig.dll (file missing)
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINXP\System32\nkjokamk.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINXP\System32\Lkfppo32.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 13 September 2005 - 08:23 AM

Hello,

I have a bad feeling you are dealing with Bube here, but I'm not sure, so let's see afterwards...

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINXP\System32\kernels32.exe
C:\WINXP\System32\maxd1.exe
C:\WINXP\System32\devldr32.exe
C:\WINXP\System32\vxgamet1.exe
C:\WINXP\System32\vxgame2.exe
C:\WINXP\System32\vxgame4.exe
C:\WINXP\cpu.dll
C:\WINXP\System32\efsdfgxg.exe
C:\WINXP\System\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\winstall.exe
C:\WINXP\System32\vxh8jkdq2.exe
C:\WINXP\System32\sysvcs.exe
C:\WINXP\System32\kobhhinb.dll
C:\WINXP\System32\bbemeqig.dll
C:\WINXP\System32\nkjokamk.dll
C:\WINXP\System32\Lkfppo32.dll
C:\WINXP\System32\cmdtel.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINXP\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINXP\System32\kernels32.exe
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINXP\System32\zolker010.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINXP\System32\ztoolb010.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINXP\System32\ztoolb010.dll
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [System] C:\WINXP\System32\kernels32.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINXP\cpu.dll,load
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINXP\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINXP\System\svchost.exe /s
O4 - HKCU\..\Run: [Otae] C:\Program Files\tsps\bsos.exe
O4 - HKCU\..\Run: [Giz] C:\WINXP\System32\w?nword.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINXP\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINXP\System32\sysvcs.exe
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_website.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4725
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINXP\System32\kobhhinb.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINXP\System32\bbemeqig.dll (file missing)
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINXP\System32\nkjokamk.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINXP\System32\Lkfppo32.dll (file missing)
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following folders, and delete them if still present:

c:\program files\180searchassistant
C:\Program Files\SurfAccuracy
C:\Program Files\ISTsvc
C:\Program Files\tsps

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

Reboot back into Windows.

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Perform an online scan with Kaspersky WebScanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Edited by miekiemoes, 13 September 2005 - 08:24 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 spd

spd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 16 September 2005 - 01:12 AM

I'll keep trying, but I cannot run Killbox. I'm getting a dialog box that says Server Busy, but the Switch to... and Retry... buttons aren't doing anything. I never get to the Killbox to employ the "Delete on Reboot command"...

While I've got you here... is this all the same issue that's trying to email spam out from my pc? and how can I get around MacAfee trying to DELETE HiJackThis?

And what happened that I now get a message that my Administrator has disabled the Task Manager? More malware, I assume. I did download and use the little registry fixer that let's it pop up again...

But something is maxing out my system at 100%... I'm disgusted.

This SpySheriff is criminal!

And YOU are the man (woman?)... can't tell... but whichever... you ARE!

Scott :thumbsup:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 16 September 2005 - 04:13 AM

Hello,

Try this link for killbox:

http://www.bleepingcomputer.com/files/killbox.php

If that still doesn't work, boot in safe mode WITH networking support and try it again for killbox.

Yes, this is all responsible for the problems you are having now... so that's why it is important you follow all my steps in the right order. If you do, we can cover everything, as well as the problem with your taskmanager.
Don't forget, I also mention there to boot in safe mode again without networking support.
So this is with a reason.

So try my steps again and if it is still doesn't work with killbox, just let me know.

Edited by miekiemoes, 16 September 2005 - 04:15 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 spd

spd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 23 September 2005 - 08:04 PM

Here are my reports, as requested. Thanks again...

spd.


Kaspersky List:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 20:46:55
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141637
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 144730
Number of viruses found: 26
Number of infected objects: 83
Number of suspicious objects: 31
Duration of the scan process: 12607 sec

Infected Object Name - Virus Name
C:\!Submit\ibm00001.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\!Submit\kernels32.exe Infected: Trojan-Downloader.Win32.Small.agq
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch5.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch5.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch9.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch9.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader2.zip/stcloader.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINXP\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/30 Jun 2003 03:39 from rdbiestek:Re:japanese girl VS playboy.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/10 Jul 2003 10:32 from mswsgulf:Page Size.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/SPAMfighter/22 May 2003 07:09 from support@microsoft.com:Cool screensaver/movie28.pif Infected: Email-Worm.Win32.Sobig.b
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/SPAMfighter/27 May 2003 04:47 from support@microsoft.com:Screensaver/ref-394755.pif Infected: Email-Worm.Win32.Sobig.b
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/SPAMfighter/30 May 2003 21:00 from thamesc:Fw:scott,japanese lass' sexy pict.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/SPAMfighter/12 Jun 2003 04:00 from Romero725:LANGAUGE.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/SPAMfighter/15 Jun 2003 01:53 from biz2excel:Look,my beautiful girl friend.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Scott.MAGOO\Local Settings\Application Data\Identities\{9E835674-7436-4E79-92EC-92ED4F61B771}\Microsoft\Outlook Express\MembersGuests.dbx/[From <jonathan@radium.com>][Date Thu, 5 Jun 2003 16:58:03 --0700]/documents.pif Infected: Email-Worm.Win32.Sobig.c
C:\Documents and Settings\Scott.MAGOO\Local Settings\Application Data\Identities\{9E835674-7436-4E79-92EC-92ED4F61B771}\Microsoft\Outlook Express\MembersGuests.dbx Infected: Email-Worm.Win32.Sobig.c
C:\Documents and Settings\Scott.MAGOO\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/SEMAFX/MembersGuests/06 Jun 2003 00:10 from jonathan@radium.com:Re: Application/documents.pif Infected: Email-Worm.Win32.Sobig.c
C:\Documents and Settings\Scott.MAGOO\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.Win32.Sobig.c
C:\lo-2076369770.exe Infected: Trojan-Downloader.Win32.Small.agq
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/13 Aug 2002 12:00 from bwest:Introduction on ADSL.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/13 Aug 2002 12:00 from bwest:Introduction on ADSL.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/14 Aug 2002 04:15 from alerts@amazon.com:Re: Your Amazon.com Inq.eml/[From dunhamm <dunhamm@gp.k12.mi.us>][Date Tue, 13 Aug 2002 21:15:25 -0700]/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/14 Aug 2002 04:15 from alerts@amazon.com:Re: Your Amazon.com Inq.eml/[From dunhamm <dunhamm@gp.k12.mi.us>][Date Tue, 13 Aug 2002 21:15:25 -0700]/jul Infected: Email-Worm.Win32.Klez.h
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/14 Aug 2002 04:15 from alerts@amazon.com:Re: Your Amazon.com Inq.eml Infected: Email-Worm.Win32.Klez.h
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/14 Aug 2002 04:15 from alerts@amazon.com:Re: Your Amazon.com Inq.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/11 Aug 2002 05:08 from Underwood, Richard:Hi,DunhamM,spice girls.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/11 Aug 2002 05:08 from Underwood, Richard:Hi,DunhamM,spice girls.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/11 Aug 2002 22:25 from webmaster:The View menu,.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/11 Aug 2002 22:25 from webmaster:The View menu,.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/03 Aug 2002 20:57 from Ginger, Ken:End File.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/03 Aug 2002 20:57 from Ginger, Ken:End File.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/03 Aug 2002 02:23 from kaspr:Me a Passport.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/03 Aug 2002 02:23 from kaspr:Me a Passport.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/17 Aug 2002 22:04 from Roby, Doug:Hello,DunhamM,japanese lass' s.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/17 Aug 2002 22:04 from Roby, Doug:Hello,DunhamM,japanese lass' s.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/16 Aug 2002 22:47 from KlasseD:All rights reserved..html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/16 Aug 2002 22:47 from KlasseD:All rights reserved..rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/30 Aug 2002 23:20 from angel07896:Fw: One Friendship to enjoy :-.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/30 Aug 2002 23:20 from angel07896:Fw: One Friendship to enjoy :-.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/30 Aug 2002 19:16 from adele_104:Fw: bad boy.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst/Personal Folders/Deleted Items/30 Aug 2002 19:16 from adele_104:Fw: bad boy.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Meg\My Documents\Outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\01F814D2 Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\060E62DB Infected: Email-Worm.Win32.Sobig.b
C:\Program Files\Norton AntiVirus\Quarantine\06722749.exe Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\0D0E56AD Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0F17356C Infected: Email-Worm.Win32.Sobig.c
C:\Program Files\Norton AntiVirus\Quarantine\13CB1125 Infected: Email-Worm.Win32.Sobig.c
C:\Program Files\Norton AntiVirus\Quarantine\158D5A31 Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\16473364 Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\21DF57E5.exe Infected: HackTool.Win32.Hucline
C:\Program Files\Norton AntiVirus\Quarantine\3D045A06.bat Infected: Net-Worm.Win32.Muma.b
C:\Program Files\Norton AntiVirus\Quarantine\3D591DA9.ini Infected: Net-Worm.Win32.Muma.b
C:\Program Files\Norton AntiVirus\Quarantine\42C012A1 Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\43AA21E0 Infected: Email-Worm.Win32.Sobig.c
C:\Program Files\Norton AntiVirus\Quarantine\43EE3E6A.BAT Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44390418.bat Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44495606.bat Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\449171B7.BAT Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44941BB3.BAT Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44A56DA1.INI Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44C5117D.bat Infected: Net-Worm.Win32.Muma.a
C:\Program Files\Norton AntiVirus\Quarantine\44DF6160.BAT Infected: Net-Worm.Win32.Muma.b
C:\Program Files\Norton AntiVirus\Quarantine\457E0423.EXE Infected: Worm.Win32.Deborm.r
C:\Program Files\Norton AntiVirus\Quarantine\498823BE.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\52A72DF1.exe Infected: Worm.Win32.Deborm.r
C:\Program Files\Norton AntiVirus\Quarantine\57875494.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\58332544.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\5E275C7A/mirc.ini Infected: Backdoor.IRC.Smev.a
C:\Program Files\Norton AntiVirus\Quarantine\5E275C7A/script.ini Infected: Backdoor.IRC.Smev.a
C:\Program Files\Norton AntiVirus\Quarantine\5E275C7A/svchost.exe Infected: Backdoor.Win32.mIRC-based
C:\Program Files\Norton AntiVirus\Quarantine\5E275C7A/win2k.bat Infected: Backdoor.IRC.Smev.a
C:\Program Files\Norton AntiVirus\Quarantine\5E275C7A Infected: Backdoor.IRC.Smev.a
C:\Program Files\Norton AntiVirus\Quarantine\60AF3FF0.exe Infected: Worm.Win32.Deborm.r
C:\Program Files\Norton AntiVirus\Quarantine\61145581.exe Infected: Worm.Win32.Deborm.r
C:\Program Files\Norton AntiVirus\Quarantine\62007B0E.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\6786065B Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6CD94FFE Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6EBE5308.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\74AA6743 Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton AntiVirus\Quarantine\78DC241D Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\794239AD Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\7A190CC0 Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\7C5376B4.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\7DA352A6.EXE Infected: Worm.Win32.Deborm.q
C:\Program Files\Norton AntiVirus\Quarantine\7F0C2F4E Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\7F902FA3 Infected: Email-Worm.Win32.Klez.h
C:\WINDOWS\Downloaded Program Files\AskEarth17.exe Infected: Trojan-Downloader.Win32.Small.px
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AskEarth17.exe Infected: Trojan-Downloader.Win32.Small.px
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AskEarth17.exe Infected: Trojan-Downloader.Win32.Small.px
C:\WINDOWS\SYSTEM32\DISK.DLL Infected: Backdoor.IRC.Zcrew
C:\WINDOWS\SYSTEM32\RANDOM.BAT Infected: Net-Worm.Win32.Muma.a
C:\WINDOWS\SYSTEM32\web.exe Infected: Trojan-Downloader.Win32.Small.agq
C:\WINDOWS\Temporary Internet Files\Content.IE5\3J9VVX4W\AskEarth17[1].exe Infected: Trojan-Downloader.Win32.Small.px
C:\winnt\system32\drivers\etc\all.exe/data.rar/go.bat Infected: Backdoor.Win32.Iroffer.1213.c
C:\winnt\system32\drivers\etc\all.exe/data.rar/spoolsv.exe Infected: Backdoor.Win32.Iroffer.1213.c
C:\winnt\system32\drivers\etc\all.exe/data.rar/SysMgmt.exe Infected: Backdoor.Win32.ServU-based
C:\winnt\system32\drivers\etc\all.exe/data.rar Infected: Backdoor.Win32.ServU-based
C:\winnt\system32\drivers\etc\all.exe Infected: Backdoor.Win32.ServU-based
C:\winnt\system32\drivers\etc\mybot1.msg Infected: IRC-Worm.IRC.Edoc.c
C:\winnt\system32\drivers\etc\ServUDaemon.ini Infected: Backdoor.Win32.ServU-based
C:\WINXP\system32\41.dl_ Infected: Trojan.Win32.Spabot.r
C:\WINXP\system32\785179.exe Infected: Trojan-Dropper.Win32.Small.wb
C:\WINXP\system32\c43b1s.dll Infected: Trojan-Dropper.Win32.Agent.of
C:\WINXP\system32\chp.dll Infected: Trojan.Win32.Spabot.r
C:\WINXP\wmplayer.exe/shttps/www/tools/backup.exe Infected: Trojan.Win32.Delf.dt
C:\WINXP\wmplayer.exe/shttps/www/tools/cls.exe Infected: Trojan.Win32.Delf.dt
C:\WINXP\wmplayer.exe/shttps/www/tools/reboot.exe Infected: Trojan.Win32.Delf.dt
C:\WINXP\wmplayer.exe/shttps/www/tools/restore.exe Infected: Trojan.Win32.Delf.dt
C:\WINXP\wmplayer.exe/shttps/start.exe Infected: Trojan-Proxy.Win32.Delf.t
C:\WINXP\wmplayer.exe/shttps/svchost.exe Infected: Trojan-Proxy.Win32.Delf.t
C:\WINXP\wmplayer.exe Infected: Trojan-Proxy.Win32.Delf.t

Scan process completed.


***

HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:20 PM, on 9/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/Spy...rch-t30262.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.semafx.net/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Otae] C:\Program Files\tsps\bsos.exe
O4 - HKCU\..\Run: [Giz] C:\WINXP\System32\w?nword.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SNInstall] C:\WINXP\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINXP\System32\sysvcs.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O21 - SSODL: Adobe Photoshop 7.0 - {015FF6B1-3E41-0F00-631C-BDA77F991C68} - c:\program files\adobe\photoshop 7.0\kveew32.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe



***

SmitFile:


smitRem log file
version 2.3

by noahdfear

The current date is: Mon 09/19/2005
The current time is: 21:41:16.26

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :thumbsup:






***

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:27:11 PM, 9/22/2005
+ Report-Checksum: A0F1281

+ Scan result:

C:\Documents and Settings\Scott.MAGOO\Cookies\scott@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050916-030039-620.dll -> Spyware.Zbar : Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050916-030039-684.dll -> Spyware.Zbar : Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050916-030039-846.dll -> Spyware.MediaTickets : Cleaned with backup
C:\winld32.dll -> TrojanDownloader.Small.anu : Cleaned with backup
C:\WINXP\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINXP\efefdfddfsdh.tmp -> Trojan.Smitfraud : Cleaned with backup
C:\WINXP\sys181.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1814.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1828.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys1831.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1840.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys1842.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1857.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys190.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1911.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys1926.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys1937.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys199.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys2248.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\sys4011.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\sys4040.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\sys4041.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys4043.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\sys408.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\sys4111.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys4112.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINXP\sys4115.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\sys4118.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system\svchost.dll -> TrojanProxy.Small.bw : Cleaned with backup
C:\WINXP\system\svchosthook.dll -> TrojanProxy.Small.bw : Cleaned with backup
C:\WINXP\system32\59714895.exe -> Spyware.Zbar : Cleaned with backup
C:\WINXP\system32\booleiml.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\cipofkji.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\combo.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\system32\dhmndjil.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\dibbfadp.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\doser.exe -> Trojan.Small.fh : Cleaned with backup
C:\WINXP\system32\eedpjlmc.dll -> Worm.Prox.c : Cleaned with backup
C:\WINXP\system32\fbckalbd.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\gbcklccn.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\hjlcmhog.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINXP\system32\lagngbkc.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINXP\system32\lcieoinp.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\leflhejg.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\lojhnfol.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\mobffpni.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\ofccppdl.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\qeqnlfhl.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINXP\system32\sender.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\system32\socks.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINXP\system32\vx.tll -> Adware.SpySheriff : Cleaned with backup
C:\WINXP\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINXP\system32\vxgame3.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINXP\system32\vxh8jkdq1.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\WINXP\system32\vxh8jkdq5.exe -> TrojanDownloader.Agent.tx : Cleaned with backup
C:\WINXP\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINXP\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINXP\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\WINXP\system32\ztoolbar.bmp -> Spyware.TNS-Search : Cleaned with backup
C:\WINXP\system32\__delete_on_reboot__tcpG4T.dll -> TrojanSpy.Goldun.bp : Cleaned with backup
C:\WINXP\system32\~update.exe -> Trojan.Crypt.l : Cleaned with backup


::Report End

#6 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 24 September 2005 - 05:45 AM

Hi spd,

miekiemoes is on vacation, so I'll be taking over.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [Otae] C:\Program Files\tsps\bsos.exe
O4 - HKCU\..\Run: [Giz] C:\WINXP\System32\w?nword.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SNInstall] C:\WINXP\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINXP\System32\sysvcs.exe

O21 - SSODL: Adobe Photoshop 7.0 - {015FF6B1-3E41-0F00-631C-BDA77F991C68} - c:\program files\adobe\photoshop 7.0\kveew32.dll (file missing)

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe (file missing)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\Downloaded Program Files\AskEarth17.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AskEarth17.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AskEarth17.exe
C:\WINDOWS\SYSTEM32\DISK.DLL
C:\WINDOWS\SYSTEM32\RANDOM.BAT
C:\WINDOWS\SYSTEM32\web.exe
C:\winnt\system32\drivers\etc\all.exe
C:\winnt\system32\drivers\etc\mybot1.msg
C:\winnt\system32\drivers\etc\ServUDaemon.ini
C:\WINXP\system32\41.dl_
C:\WINXP\system32\785179.exe
C:\WINXP\system32\c43b1s.dll
C:\WINXP\system32\chp.dll
C:\WINXP\wmplayer.exe
C:\WINXP\System32\w?nword.exe
C:\WINXP\System32\vxh8jkdq2.exe
C:\WINXP\System32\sysvcs.exe
C:\WINXP\System32\cmdtel.exe

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\tsps
C:\Program Files\Common Files\Microsoft Shared\Web Folders

Restart your computer and post a new log in this thread.
Posted Image

#7 spd

spd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 25 September 2005 - 05:29 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:28:17 PM, on 9/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINXP\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\PROGRA~1\SBCSEL~1\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINXP\System32\devldr32.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\WINXP\System32\logon.scr
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/Spy...rch-t30262.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.semafx.net/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

#8 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 26 September 2005 - 04:37 AM

Hi spd,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe (file missing)

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
Posted Image

#9 spd

spd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 26 September 2005 - 08:49 AM

Thanks... Here's the latest Hijack log. spd


Logfile of HijackThis v1.99.1
Scan saved at 9:48:44 AM, on 9/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\taskmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINXP\System32\devldr32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/Spy...rch-t30262.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.semafx.net/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINXP\System32\cmdtel.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 27 September 2005 - 11:44 AM

Thanks Bobbi for your help. :thumbsup:

Hi,

Go to start > run and copy and paste next command in the field:

sc delete KDE

Click Ok

Post a new hijackthislog afterwards. :flowers:

Also tell me how things are running.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 28 September 2005 - 05:55 AM

You're welcome.... I leave him in your more than capable hands :thumbsup:

Welcome back!
Posted Image

#12 spd

spd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 01 October 2005 - 08:52 AM

Hello miekiemoes (and thanks to Bobbi, too!)

Here is my "Final"? HiJack Log...for you enjoyment!

You know, now that you mention it, my pc doesn't seem inclined to email blast out miscellaneous PORNO messages anymore... and my home page is no longer 'jacked.

I have told 5 people about you guys! You are amazing. Let me tell you why. Because these days the media implies that we only show our colors during a major disaster, like the Hurricanes... but I submit that there are caring, unselfish heroes all over the world, helping people in tiny increments, and those little gestures add up... giving me hope for my two little boys- and the future of mankind.

Whew.

A little dramatic? Maybe, but in my own way, I'm merely encouraging generous souls like you to continue the "good fight" and be a hero to someone every day, even if it's to delete a line of mal-code from a tricky pc.

Thankyou (to the 10th power)! :thumbsup:

Scott


ps- I hope this wraps it up-- and that I never meet you here again- but under better circumstances elsewhere! :flowers:



Logfile of HijackThis v1.99.1
Scan saved at 9:43:51 AM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINXP\System32\devldr32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\explorer.exe
C:\WINXP\System32\RUNDLL32.exe
C:\WINXP\System32\RUNDLL32.exe
C:\WINXP\system32\rundll32.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.bleepingcomputer.com/forums/Spy...rch-t30262.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.semafx.net/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINXP\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -

http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program

Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program

Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -

http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -

http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5

Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 01 October 2005 - 09:11 AM

Hello,

Well, I see a clean hijackthislog. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 02 October 2005 - 07:32 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users