Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Inferction!


  • This topic is locked This topic is locked
14 replies to this topic

#1 kredik

kredik

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 05:43 AM

"your computer is infected" is permanetnly poped up on my lower screen and i get malware .com page when i open my browser...sounds serious..I made a log file from hijack....any help would be greatly appreciated.thanks

(Moderator edit: post moved to HJT Forum for team review. jgweed)
ogfile of HijackThis v1.99.1
Scan saved at 11:29:57 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
C:\Programfiler\EzButton\EzButton.EXE
C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\SecuritySuite.exe
C:\Programfiler\WinRAR\WinRAR.exe
C:\DOCUME~1\Jems\LOKALE~1\Temp\Rar$EX01.078\HijackThis.exe
C:\DOCUME~1\Jems\LOKALE~1\Temp\Rar$EX00.828\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/default.stm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpBA0D.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programfiler\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpywareStrike] C:\Programfiler\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WhenUSave] "C:\Programfiler\Save\Save.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Programfiler\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programfiler\Fellesfiler\Autodesk Shared\acstart16.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124531093843
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

Edited by jgweed, 26 January 2006 - 08:03 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 08:15 AM

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

I also see you have some programs installed that needs to get uninstalled first, because they are unwanted!
So go to start > controlpanel > software > add/remove programs and uninstall next:

WhenU (WhenUsave)
Spyware Cleaner
<= this is a so called cleaner with a bad reputation!
Spywarestrike <= this is a so called cleaner with a bad reputation!

Reboot afterwards.

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

I see you already have Ewido installed.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please download ATF Cleaner by Atribune.
Do not run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpBA0D.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [SpywareStrike] C:\Programfiler\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [WhenUSave] "C:\Programfiler\Save\Save.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Programfiler\Spyware Cleaner\SpywareCleaner.Exe" /boot
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programfiler\PartyPoker\PartyPoker.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following folders, and delete them if still present:

C:\Programfiler\SpywareStrike
C:\Programfiler\Save
C:\Programfiler\Spyware Cleaner
C:\Programfiler\PartyPoker

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 11:17 AM

So im not really sure I did the right things but heres a new log file...thanks

timeogfile of HijackThis v1.99.1
Scan saved at 5:13:51 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
C:\Programfiler\EzButton\EzButton.EXE
C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Winamp\winampa.exe
C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\hjt\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/default.stm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programfiler\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WhenUSave] "C:\Programfiler\Save\Save.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programfiler\Fellesfiler\Autodesk Shared\acstart16.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124531093843
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 11:20 AM

Hello,

Can you also post the other logs I asked you?
Looks like you didn't scan with Panda?

So what I need is..
  • ewido-log
  • Log from smitrem (smitfiles.txt present on your C:\)
  • Log from Panda online
It is with a reason I want those logs. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 12:22 PM

ok...i got 2 and will do the last one now


wido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:37:52 PM, 1/26/2006
+ Report-Checksum: 9D9CF6E7

+ Scan result:

HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-800555736-3238046520-1616229380-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-800555736-3238046520-1616229380-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-800555736-3238046520-1616229380-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B} -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-800555736-3238046520-1616229380-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\1024\ld121E.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup
C:\WINDOWS\system32\1024\ld1668.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup
C:\WINDOWS\system32\1024\ld4866.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup
C:\Documents and Settings\Jems\Cookies\jems@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Jems\Cookies\jems@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End

ncident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Jems\Favoritter\Antivirus Test Online.url
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jems\Cookies\jems@adopt.hbmediapro[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Jems\Cookies\jems@ask[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jems\Cookies\jems@belnk[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Jems\Cookies\jems@c.enhance[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Jems\Cookies\jems@clickbank[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jems\Cookies\jems@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jems\Cookies\jems@go[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jems\Cookies\jems@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jems\Cookies\jems@webpower[2].txt
Spyware:Cookie/Spytrooper Not disinfected C:\Documents and Settings\Jems\Cookies\jems@www.spytrooper[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Jems\Cookies\jems@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jems\Cookies\jems@zedo[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jems\Cookies\jems@adopt.hbmediapro[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Jems\Cookies\jems@ask[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jems\Cookies\jems@belnk[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Jems\Cookies\jems@c.enhance[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Jems\Cookies\jems@clickbank[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jems\Cookies\jems@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Jems\Cookies\jems@go[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jems\Cookies\jems@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jems\Cookies\jems@webpower[2].txt
Spyware:Cookie/Spytrooper Not disinfected C:\Documents and Settings\Jems\Cookies\jems@www.spytrooper[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Jems\Cookies\jems@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jems\Cookies\jems@zedo[1].txt
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Jems\Lokale innstillinger\Temp\temp.fr0528\ACM.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jems\Lokale innstillinger\Temporary Internet Files\Content.IE5\S353UINP\smitRem[1].exe[Process.exe]
Potentially unwanted tool:Application/Malwarewipe Not disinfected C:\Documents and Settings\Jems\Lokale innstillinger\Temporary Internet Files\Content.IE5\TJ3F1HWA\mw_install[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jems\Skrivebord\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jems\Skrivebord\smitRem.exe[Process.exe]
Possible Virus. Not disinfected C:\Programfiler\AutoCAD 2006\Crack\keygen.exe
Hacktool:HackTool/EvID Not disinfected C:\Programfiler\Fellesfiler\Synacast\SynaLive\EvID4226Patch.exe
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\Temp\SSLanguage.ini

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 12:30 PM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKCU\..\Run: [WhenUSave] "C:\Programfiler\Save\Save.exe"


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next files/folder

C:\Documents and Settings\Jems\Favoritter\Antivirus Test Online.url
C:\Programfiler\AutoCAD 2006\Crack <== folder (if you visit cracksites/use cracks etc.. then it is normal your system gets infected)
C:\WINDOWS\Temp\SSLanguage.ini

Run ATF-Cleaner again.

Reboot and post a new hijackthislog.

Edited by miekiemoes, 26 January 2006 - 12:31 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 12:33 PM

ok..i couldnt get a log file for smitrem but i used it and cleaned my disk up...be bak soon

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 12:54 PM

The log from smitrem is on your C:\ with the name smitfiles.txt
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 12:58 PM

OK. Here it is.. Am I clean? Im not so good with computers but you made it quite easy. Thanks again!!!


ogfile of HijackThis v1.99.1
Scan saved at 6:53:51 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
C:\Programfiler\EzButton\EzButton.EXE
C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Jems\Skrivebord\HijackThis1991.exe
C:\WINDOWS\system32\msiexec.exe





version 2.8

by noahdfear


Microsoft Windows XP [Versjon 5.1.2600]

Running from
C:\Documents and Settings\Jems\Skrivebord\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 01:02 PM

Hello,

You only posted the top part of your hijackthislog and your smitremlog is not complete.

Can you please restart your computer and post afterwards the log from smitrem again and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 01:10 PM

ooops,sorry

ogfile of HijackThis v1.99.1
Scan saved at 7:06:43 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
C:\Programfiler\EzButton\EzButton.EXE
C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Jems\Skrivebord\HijackThis1991.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programfiler\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programfiler\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programfiler\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programfiler\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programfiler\TOSHIBA\TOSHIBA zoom\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programfiler\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programfiler\Fellesfiler\Autodesk Shared\acstart16.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124531093843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programfiler\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe





smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Versjon 5.1.2600]

Running from
C:\Documents and Settings\Jems\Skrivebord\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1304 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :flowers: ~~~~

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 01:18 PM

Look clean. :thumbsup:

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kredik

kredik
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 26 January 2006 - 01:22 PM

seems fine! no more pop ups tellin me im in DANGER!

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 26 January 2006 - 01:24 PM

Glad to hear things are fixed. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:08 AM

Posted 02 February 2006 - 01:42 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users