Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Spyware (bookedspace I Believe)


  • This topic is locked This topic is locked
15 replies to this topic

#1 tuckie

tuckie

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 10 October 2005 - 09:18 PM

Below is my log. I think that it is caused by a piece of spyware called bookedspace. I have ran spybot as well as adaware with no luck. When I reboot and run adaware, its back.
Logfile of HijackThis v1.99.1
Scan saved at 10:07:52 PM, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SmVzcwAA\command.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\Sys98.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\cdmodem6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\windows\rlvknlg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Program Files\sami\emia.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msst\msst.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Jess\LOCALS~1\Temp\A~NSISu_.exe
C:\Documents and Settings\Jess\Local Settings\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {725B8841-1F63-C99B-0BE3-3CAAAA174BE1} - C:\WINDOWS\Jydpigwz.dll
O2 - BHO: (no name) - {2567850C-535D-9A79-6DD8-80C1CB3C2FAA} - C:\WINDOWS\Jydpigwz.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {3CAD5A2A-8ED8-3AB7-C305-D655A1836881} - C:\WINDOWS\Jydpigwz.dll
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Jqcvh] C:\Program Files\Lgmfwph\Eotewwq.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [gerncty] c:\windows\system32\gerncty.exe -start
O4 - HKLM\..\Run: [fxfkvbz] c:\windows\system32\zzevym.exe r
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [bd65339c88ca] C:\WINDOWS\System32\cdmodem6.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AutoLoader7wv51OcgddLL] "C:\WINDOWS\System32\esedmd.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [Rbqzef] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Iinl] "C:\Program Files\sami\emia.exe" -vt ndrv
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\nbshrui.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVzcwAA\command.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\System32\mainsafe.exe (file missing)
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

BC AdBot (Login to Remove)

 


#2 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 11 October 2005 - 06:40 AM

Besides popups and search bars on IE, I've also noticed that it creates links to words in every IE site, even when a page cannot be displayed.

#3 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 16 October 2005 - 09:03 AM

Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Notes
Few things to take care of here, so lease read through these instructions and ask any questions you may have before continuing.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.


Downloads
Right click on this link and choose Save As. Save it to your desktop. DO NOT RUN IT YET

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following - IF THEY EXIST:
WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below. For a safer alternative please seeHere

DNS
TSA
Sami



Right click on that file we downloaded to your desktop (DelO15Domains) and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {725B8841-1F63-C99B-0BE3-3CAAAA174BE1} - C:\WINDOWS\Jydpigwz.dll
O2 - BHO: (no name) - {2567850C-535D-9A79-6DD8-80C1CB3C2FAA} - C:\WINDOWS\Jydpigwz.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {3CAD5A2A-8ED8-3AB7-C305-D655A1836881} - C:\WINDOWS\Jydpigwz.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [Jqcvh] C:\Program Files\Lgmfwph\Eotewwq.exe
O4 - HKLM\..\Run: [gerncty] c:\windows\system32\gerncty.exe -start
O4 - HKLM\..\Run: [fxfkvbz] c:\windows\system32\zzevym.exe r
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [bd65339c88ca] C:\WINDOWS\System32\cdmodem6.exe
O4 - HKLM\..\Run: [AutoLoader7wv51OcgddLL] "C:\WINDOWS\System32\esedmd.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [Rbqzef] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Iinl] "C:\Program Files\sami\emia.exe" -vt ndrv
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\nbshrui.dll (file missing)


Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Cas\
C:\Program Files\AWS\
C:\Program Files\DNS\
c:\program files\support.com\client\lserver\server.vbs
C:\Program Files\Lgmfwph\
C:\Program Files\sf\
C:\Program Files\sami\
C:\Program Files\Common Files\mc-58-12-0000119.exe
C:\Program Files\Common Files\Windows\
C:\Program Files\Common Files\tsa\

C:\Documents and Settings\All Users\Application Data\msst\

C:\WINDOWS\Jydpigwz.dll
C:\WINDOWS\eltupt.exe
C:\WINDOWS\cfgmgr52.dll
C:\windows\rlvknlg.exe
C:\WINDOWS\sfita.exe

C:\WINDOWS\System32\cdmodem6.exe
C:\WINDOWS\System32\esedmd.exe
c:\windows\system32\gerncty.exe
c:\windows\system32\zzevym.exe
C:\WINDOWS\system32\nbshrui.dll
C:\WINDOWS\System32\r?gsvr32.exe <-- BE CAREFUL WITH THIS ONE! - it closely resembles a LEGIT windows File regsvr32.exe but they are NOT the same file.


Reboot your system in Normal Mode.


Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post a fresh HijackThis log & the Log from Panda so that we can check if your system is clean.
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#4 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 17 October 2005 - 11:21 PM

Thanks for the help!
From Panda:
Incident Status Location

Adware:adware/purityscan No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\!update.exe
Adware:adware/savenow No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\auf0.exe
Adware:adware/consumeralertsystemNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\cassetup.exe
Adware:adware/ist.istbar No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\targetsaver.exe
Adware:adware/alwaysupdatednewsNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\toc_0018.exe
Adware:adware/sqwire No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\ts_8_new.exe
Adware:adware/virtualbouncer No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\wrapperouter.exe
Adware:adware/pacimedia No disinfected c:\documents and settings\jess\favorites\1111\1111.url
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe
Adware:adware/ezula No disinfected C:\WINDOWS\SYSTEM32\ezPopStub.exe
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\msclock32.dll
Spyware:spyware/marketscore No disinfected C:\WINDOWS\SYSTEM32\rk.bin
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/searchforit No disinfected C:\WINDOWS\SYSTEM32\SYSsfitb.dll
Adware:adware/mirar No disinfected C:\WINDOWS\SYSTEM32\WinNB57.dll
Adware:adware/neededware No disinfected C:\WINDOWS\SYSTEM32\WinStat11.dll
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/ncase No disinfected C:\TEMP\salm.log
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Jess\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.dll
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:adware/aurora No disinfected C:\WINDOWS\svcproc.exe
Spyware:spyware/betterinet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/fizzle No disinfected C:\PROGRAM FILES\FwBarTemp
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg2
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/novo No disinfected Windows Registry
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\85MNU723\dating[1].bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KL49OH2R\casino[1].bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UJS9OLUR\virus[1].bmp
Adware:Adware/StartPage.AHW No disinfected C:\Documents and Settings\Jess\Desktop\backups\backup-20051017-231448-215.dll
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\!update.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\auf0.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\auf1.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\auf2.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\cassetup.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\Del2E.tmp
Adware:Adware/IST.SideFind No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\GLF72GLF72.EXE
Adware:Adware/eZula No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\GLFAFGLFAF.EXE
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\i4C.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\i60.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\i87.tmp
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\JAE\auraupg1.exe
Adware:Adware/DownloadWare No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\nst46.EXE
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\ptf_0008.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\res159.tmp
Spyware:Spyware/UrlSpy No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\setup1024.exe
Adware:Adware/IST.SideFind No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\targetsaver.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\temp.fr5561
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\temp.fr7D05\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\temp.fr7D05\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\Documents and Settings\Jess\Local Settings\Temp\temp.fr7D05\xml\images\virus.bmp
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\temp.fr8B2B\MediaGateway.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\toolbar.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\ts_8_new.exe
Adware:Adware/ClockSync No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\VVSNInst.exe
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\Jess\Local Settings\Temp\wrapperouter.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000119.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet2\mc-58-12-0000119.exe
Adware:Adware/IST.SideFind No disinfected C:\Program Files\Common Files\murm\murmp.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\RECYCLER\S-1-5-21-3295179371-1732902384-45650372-1005\Dc39\Client\Uninstall.exe
Adware:Adware/Maxifiles No disinfected C:\RECYCLER\S-1-5-21-3295179371-1732902384-45650372-1005\Dc42\cwebpage.dll
Spyware:Spyware/MarketScore No disinfected C:\RECYCLER\S-1-5-21-3295179371-1732902384-45650372-1005\Dc43.exe
Adware:Adware/StartPage.AHW No disinfected C:\WINDOWS\bs7beta.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\RCX15A.tmp
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\dsjxouyl.exe
Adware:Adware/Imibar No disinfected C:\WINDOWS\eltt.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/Aurora No disinfected C:\WINDOWS\svcproc.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\system32\apcups60.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\system32\ati3d2ag.exe
Adware:Adware/Adshooter No disinfected C:\WINDOWS\system32\ca.dll
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\ca2.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\Cache\installer.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\system32\CDM\omyfhwpmra.dll
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\system32\CDM\omyfhwpmra.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cgmuid.dll
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\D0CE0C16B1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dbcdll.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kgdsg.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\MediaGateway.exe
Adware:Adware/NaviPromo No disinfected C:\WINDOWS\system32\msclock32.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\system32\MTE2ODI6ODoxNg.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\nmjpgf.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\system32\NNSCAA638.EXE
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsjA3.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\pnn11.dll
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\WinNB57.dll
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat11.dll
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat12.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wxcdlg.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\xmywt.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\Temp\cmdinst.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\Temp\i87.tmp
Adware:Adware/WinAD No disinfected C:\WINDOWS\Temp\MediaAccessInstPack.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Temp\ptf_0026.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Temp\upd209.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Temp\wrapperouter.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Spyware:Spyware/ShopNav No disinfected C:\WINDOWS\unist2.exe
Logfile of HijackThis v1.99.1
Scan saved at 12:19:32 AM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SmVzcwAA\command.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Sys98.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jess\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVzcwAA\command.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\System32\mainsafe.exe (file missing)
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#5 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 October 2005 - 09:29 AM

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Paste from ClipBoard!
Download Killbox
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Select each of the following files below with your mouse, then right click and select copy, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Now in Killbox go to, File then select, Paste from clipboard! Now hit the X button - choose YES when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\PROGRAM FILES\COMMON FILES\services.exe
C:\WINDOWS\SYSTEM32\ezPopStub.exe
C:\WINDOWS\SYSTEM32\msclock32.dll
C:\WINDOWS\SYSTEM32\rk.bin
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\SYSsfitb.dll
C:\WINDOWS\SYSTEM32\WinNB57.dll
C:\WINDOWS\SYSTEM32\WinStat11.dll
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\thin-143-1-x-x.exe
C:\WINDOWS\unstall.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\bs7beta.exe
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINDOWS\Downloaded Program Files\RCX15A.tmp
C:\WINDOWS\dsjxouyl.exe
C:\WINDOWS\eltt.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\system32\apcups60.exe
C:\WINDOWS\system32\ati3d2ag.exe
C:\WINDOWS\system32\ca.dll
C:\WINDOWS\system32\ca2.dll
C:\WINDOWS\system32\Cache\installer.exe
C:\WINDOWS\system32\CDM\omyfhwpmra.dll
C:\WINDOWS\system32\CDM\omyfhwpmra.exe
C:\WINDOWS\system32\cgmuid.dll
C:\WINDOWS\system32\D0CE0C16B1.DLL
C:\WINDOWS\system32\dbcdll.dll
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\kgdsg.dll
C:\WINDOWS\system32\MediaGateway.exe
C:\WINDOWS\system32\msclock32.dll
C:\WINDOWS\system32\MTE2ODI6ODoxNg.exe
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
C:\WINDOWS\system32\nmjpgf.exe
C:\WINDOWS\system32\NNSCAA638.EXE
C:\WINDOWS\system32\nsjA3.dll
C:\WINDOWS\system32\pnn11.dll
C:\WINDOWS\system32\SYSsfitb.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\system32\WinStat11.dll
C:\WINDOWS\system32\WinStat12.dll
C:\WINDOWS\system32\wxcdlg.dll
C:\WINDOWS\system32\xmywt.dll
C:\WINDOWS\thin-143-1-x-x.exe
C:\WINDOWS\unist2.exe


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in safe mode, Delete the following folders!

C:\PROGRAM FILES\FwBarTemp\
C:\PROGRAM FILES\SideFind\
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs\
C:\WINDOWS\SYSTEM32\cache32_rtneg2\
C:\WINDOWS\etb\
C:\Program Files\Common Files\InetGet\
C:\Program Files\Common Files\murm\
c:\documents and settings\jess\favorites\1111\

Reboot back to normal mode

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click Start Scan
  • After it's done scanning, click Scan Results
  • Make sure all items found have a check next to them, then click Clean Threats Now.
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called Antispyware.log, please double-click that log and copy the entire contents and paste them here.

Edited by Skate_Punk_21, 18 October 2005 - 09:30 AM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#6 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 18 October 2005 - 07:42 PM

Started Scanning
Internet Cookies
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Found 'partypoker.com' in 'Internet Explorer Cache'
Found 'exitexchange.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'www.allthatsearch.com' in 'Internet Explorer Cache'
Found 'www.searchingbooth.com' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'cliks.org' in 'Internet Explorer Cache'
Found 'abetterinternet.com' in 'Internet Explorer Cache'
Found 'hits.clickandtrack.net' in 'Internet Explorer Cache'
Found 'ads.cc214142.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Found 'offeroptimizer.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'media.top-banners.com' in 'Internet Explorer Cache'
Found 'hc2.humanclick.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Magnet'
Found '' in 'Software\dsktb\DesktopToolbar'
Found 'iebar' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Found '' in 'SOFTWARE\Classes\EPXACTIVEX.EPXActiveXCtrl.1'
Found '' in 'SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility'
Found '' in 'SOFTWARE\Classes\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}'
Found '' in 'CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Found '' in 'CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}'
Found '' in 'SOFTWARE\Classes\CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}'
Found '' in 'CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}'
Found '' in 'SOFTWARE\Classes\CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}'
Internet URL Shortcuts
Files and Directories
Found 'MediaTicketsInstaller.INF' in 'C:\!KillBox'
Found 'NDNuninstall6_38.exe' in 'C:\!KillBox'
Found 'nmjpgf.exe' in 'C:\!KillBox'
Found 'omyfhwpmra.dll' in 'C:\!KillBox'
Found 'omyfhwpmra.exe' in 'C:\!KillBox'
Found 'auf0.exe' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'auf1.exe' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'auf2.exe' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'GLCB3.tmp' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'GLKB7.tmp' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'GLMB8.tmp' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'nst46.EXE' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'VVSNInst.exe' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found '~DF79A2.tmp' in 'C:\Documents and Settings\Jess\Local Settings\Temp'
Found 'salm_gdf.dat' in 'C:\temp'
Found '' in 'C:\WINDOWS\bsx32'
Found 'EECH1.bsx' in 'C:\WINDOWS\bsx32'
Found 'SPZ3.bsx' in 'C:\WINDOWS\bsx32'
Found 'EECH1.bsx' in 'C:\WINDOWS\cfgmgr52'
Found 'SPZ3.bsx' in 'C:\WINDOWS\cfgmgr52'
Found 'omyfhwpmra.dat' in 'C:\WINDOWS\system32\CDM'
Found 'creditcard32123123123asdsa123.ico' in 'C:\WINDOWS\system32'
Found 'wtscc.exe' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\!KillBox\MediaTicketsInstaller.INF' in shortcut areas.
Checking for 'C:\!KillBox\MediaTicketsInstaller.INF' in startup areas.
Cleaning 'C:\!KillBox\MediaTicketsInstaller.INF'
Checking for 'C:\!KillBox\NDNuninstall6_38.exe' in shortcut areas.
Checking for 'C:\!KillBox\NDNuninstall6_38.exe' in startup areas.
Cleaning 'C:\!KillBox\NDNuninstall6_38.exe'
Checking for 'C:\!KillBox\nmjpgf.exe' in shortcut areas.
Checking for 'C:\!KillBox\nmjpgf.exe' in startup areas.
Cleaning 'C:\!KillBox\nmjpgf.exe'
Checking for 'C:\!KillBox\omyfhwpmra.dll' in shortcut areas.
Checking for 'C:\!KillBox\omyfhwpmra.dll' in startup areas.
Cleaning 'C:\!KillBox\omyfhwpmra.dll'
Checking for 'C:\!KillBox\omyfhwpmra.exe' in shortcut areas.
Checking for 'C:\!KillBox\omyfhwpmra.exe' in startup areas.
Cleaning 'C:\!KillBox\omyfhwpmra.exe'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf0.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf0.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\auf0.exe'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf1.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf1.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\auf1.exe'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf2.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\auf2.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\auf2.exe'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLCB3.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLCB3.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\GLCB3.tmp'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLKB7.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLKB7.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\GLKB7.tmp'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLMB8.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\GLMB8.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\GLMB8.tmp'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\nst46.EXE' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\nst46.EXE' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\nst46.EXE'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\VVSNInst.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\VVSNInst.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\VVSNInst.exe'
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\~DF79A2.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Jess\Local Settings\Temp\~DF79A2.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Jess\Local Settings\Temp\~DF79A2.tmp'
Checking for 'C:\temp\salm_gdf.dat' in shortcut areas.
Checking for 'C:\temp\salm_gdf.dat' in startup areas.
Cleaning 'C:\temp\salm_gdf.dat'
Checking for 'C:\WINDOWS\bsx32' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32' in startup areas.
Cleaning 'C:\WINDOWS\bsx32'
Checking for 'C:\WINDOWS\bsx32\ASI2.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASI2.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASI2.bsx'
Checking for 'C:\WINDOWS\bsx32\ASICLRE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASICLRE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASICLRE.bsx'
Checking for 'C:\WINDOWS\bsx32\ASICLV.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASICLV.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASICLV.bsx'
Checking for 'C:\WINDOWS\bsx32\ASIEPRE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASIEPRE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASIEPRE.bsx'
Checking for 'C:\WINDOWS\bsx32\ASIEZ.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASIEZ.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASIEZ.bsx'
Checking for 'C:\WINDOWS\bsx32\ASIKAB.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASIKAB.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASIKAB.bsx'
Checking for 'C:\WINDOWS\bsx32\ASIMBC.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASIMBC.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASIMBC.bsx'
Checking for 'C:\WINDOWS\bsx32\ASIRCPRE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASIRCPRE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASIRCPRE.bsx'
Checking for 'C:\WINDOWS\bsx32\ASISS2RE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASISS2RE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASISS2RE.bsx'
Checking for 'C:\WINDOWS\bsx32\ASISSRE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ASISSRE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ASISSRE.bsx'
Checking for 'C:\WINDOWS\bsx32\bspace.html' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\bspace.html' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\bspace.html'
Checking for 'C:\WINDOWS\bsx32\EECH1.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\EECH1.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\EECH1.bsx'
Checking for 'C:\WINDOWS\bsx32\SPZ3.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\SPZ3.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\SPZ3.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPC.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPC.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPC.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPD.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPD.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPD.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPE.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPE.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPE.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPF.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPF.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPF.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPFAM.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPFAM.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPFAM.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPFI.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPFI.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPFI.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPFIN.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPFIN.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPFIN.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPG.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPG.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPG.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPH.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPH.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPH.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPHL.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPHL.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPHL.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPJ.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPJ.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPJ.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPM.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPM.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPM.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPMTV.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPMTV.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPMTV.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPN.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPN.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPN.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPR.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPR.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPR.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPS.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPS.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPS.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPSHOP.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPSHOP.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPSHOP.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPSP.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPSP.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPSP.bsx'
Checking for 'C:\WINDOWS\bsx32\TMPW.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\TMPW.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\TMPW.bsx'
Checking for 'C:\WINDOWS\bsx32\WEBS1.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\WEBS1.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\WEBS1.bsx'
Checking for 'C:\WINDOWS\bsx32\WEBS2.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\WEBS2.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\WEBS2.bsx'
Checking for 'C:\WINDOWS\bsx32\ZNETGP.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\ZNETGP.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\ZNETGP.bsx'
Checking for 'C:\WINDOWS\bsx32\EECH1.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\EECH1.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\EECH1.bsx'
[SCANMODS] The file 'C:\WINDOWS\bsx32\EECH1.bsx' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\bsx32\SPZ3.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\bsx32\SPZ3.bsx' in startup areas.
Cleaning 'C:\WINDOWS\bsx32\SPZ3.bsx'
[SCANMODS] The file 'C:\WINDOWS\bsx32\SPZ3.bsx' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\cfgmgr52\EECH1.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\cfgmgr52\EECH1.bsx' in startup areas.
Cleaning 'C:\WINDOWS\cfgmgr52\EECH1.bsx'
Checking for 'C:\WINDOWS\cfgmgr52\SPZ3.bsx' in shortcut areas.
Checking for 'C:\WINDOWS\cfgmgr52\SPZ3.bsx' in startup areas.
Cleaning 'C:\WINDOWS\cfgmgr52\SPZ3.bsx'
Checking for 'C:\WINDOWS\system32\CDM\omyfhwpmra.dat' in shortcut areas.
Checking for 'C:\WINDOWS\system32\CDM\omyfhwpmra.dat' in startup areas.
Cleaning 'C:\WINDOWS\system32\CDM\omyfhwpmra.dat'
Checking for 'C:\WINDOWS\system32\creditcard32123123123asdsa123.ico' in shortcut areas.
Checking for 'C:\WINDOWS\system32\creditcard32123123123asdsa123.ico' in startup areas.
Cleaning 'C:\WINDOWS\system32\creditcard32123123123asdsa123.ico'
Checking for 'C:\WINDOWS\system32\wtscc.exe' in shortcut areas.
Checking for 'C:\WINDOWS\system32\wtscc.exe' in startup areas.
Cleaning 'C:\WINDOWS\system32\wtscc.exe'
Finished Cleaning

#7 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 October 2005 - 10:42 PM

Well tuckie, hows it feel to get rid of all that?!
just curious as to how everything is performing now before i decide on the next step.
Skate

Edited by Skate_Punk_21, 18 October 2005 - 10:42 PM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#8 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 19 October 2005 - 07:14 AM

Thanks for the help; It feels pretty good ;) . I've been trying to remove this stuff for a week or two now, and adaware just wasn't cutting it :thumbsup:

#9 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 19 October 2005 - 07:28 AM

Its working a lot better now, Im no longer getting random popups, there are no more random hyperlinks on sites, and a seach bar on IE is finally gone.

Edit: I am still getting an Internet Enhancer popup that doesnt put an icon in the start bar. It says "Do you want to enhance your Internet experience?"

I had been getting this in the past as well.

Edited by tuckie, 19 October 2005 - 08:01 AM.


#10 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 19 October 2005 - 08:47 AM

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

+++++++++++++++++++++++++++++++

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Using Uninstall Manager
  • Double click on HijackThis.exe to run it.
  • Go to Config || Misc Tools
  • click the button labelled "Open Uninstall Manager"
  • To get a qick uninstall Log, click the "Save List" button
POST BOTH LOGS HERE PLEASE

Edited by Skate_Punk_21, 19 October 2005 - 08:47 AM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#11 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 19 October 2005 - 07:37 PM

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:31:34 PM, 10/19/2005
+ Report-Checksum: B8F87C77

+ Scan result:

[1760] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[676] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[684] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[700] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[708] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[732] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[748] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[776] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[804] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[816] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[840] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[860] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[912] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[1892] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[232] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[628] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[2792] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
[3608] C:\WINDOWS\SmVzcwAA\asappsrv.dll -> Spyware.CommAd : Error during cleaning
C:\WINDOWS\SmVzcwAA\__delete_on_reboot__asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\SmVzcwAA\__delete_on_reboot__command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Error during cleaning


::Report End

Ad-Aware SE Personal
AOL Instant Messenger
AOL Spyware Protection
Appswebservice.com Search Assistant
ATI Control Panel
ATI Display Driver
AVG Free Edition
CleanUp!
Command
Content Delivery Module
DVgate
ewido security suite
Experience VAIO
gerncty
Help and Support
HijackThis 1.99.1
HotKey Utility
IE Host R3
ImageStation Tour
Intel® PRO Ethernet Adapter and Software
InterVideo WinDVD 4
iTunes
J2SE Runtime Environment 5.0 Update 1
Microsoft Learning and Research Plus Support Files
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Picture It! Express 7.0
MoodLogic
MovieShaker 3.3
MSN Internet Software
MSN Messenger 5.0
MSXP 1.0
Music Visualizer Library 1.4.00
Network Smart Capture
Odyssey Client
OIN
OpenMG Limited Patch 3.1-02-10-22-01
OpenMG Limited Patch 3.1-02-10-23-01
OpenMG Secure Module 3.1
Panda ActiveScan
PictureGear Studio 1.0
PowerPanel
QuickTime
RealOne Player
RealProducer Basic 8.5
Shockwave
SoftK56 Data Fax
SonicStage 1.5.05
Sony Certificate PCH
Sony DV Shared Library
Sony Notebook Setup
Sony on Yahoo! Essentials
Sony USB Mouse
Sony Utilities DLL
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Support Actions WinXP
Sys98 1.0
The Best Offers
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Serenus Wallpaper
VAIO Support
VAIO Survey Standalone
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Wireless LAN
Wireless-G Notebook Adapter with SpeedBooster

#12 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 19 October 2005 - 09:29 PM

Uninstall The Following, unless you can attest for the programs legitimacy:
Appswebservice.com Search Assistant
gerncty
OIN
The Best Offers



Download Killbox
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox ONE AT A TIME(hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\WINDOWS\SmVzcwAA
C:\WINDOWS\Temp\upd209.exe


* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


REBOOT your computer NOW

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#13 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 19 October 2005 - 10:25 PM

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1772 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 236 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 37%)
adding: 0x0409.ini (188 bytes security) (deflated 59%)
adding: winamp.ini (188 bytes security) (stored 0%)
adding: asdf.txt (188 bytes security) (deflated 60%)
adding: crash.txt (188 bytes security) (deflated 25%)
adding: lo2.txt (188 bytes security) (deflated 56%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 16%)
adding: test3.txt (188 bytes security) (deflated 16%)
adding: test5.txt (188 bytes security) (deflated 16%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{140987C4-0D7F-4000-936E-0C246AEAC77D}"=-
"{1B1E9032-B828-4057-8A6D-140E5A3FF09B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{140987C4-0D7F-4000-936E-0C246AEAC77D}]
[-HKEY_CLASSES_ROOT\CLSID\{1B1E9032-B828-4057-8A6D-140E5A3FF09B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


and from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:19 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jess\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVzcwAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\System32\mainsafe.exe (file missing)
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#14 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 20 October 2005 - 03:48 PM

check this in HJT: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm

and delete these files/folders file: C:\WINDOWS\System32\Searchx.htm
and
C:\!Killbox


Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#15 tuckie

tuckie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 20 October 2005 - 07:09 PM

Much thanks to all your help, she appears to be completely clean now :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users