Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijack Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 urbanlord

urbanlord

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 03:48 AM

I keep getting the following messages

There are too many identical e-mails in appointed time

I've run hijackthis and was informed to post the log here.

Logfile of HijackThis v1.99.1
Scan saved at 08:17:07, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\winsysban3.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\My PC\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Dave\LOCALS~1\Temp\ebhdiflk.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\system32\igfxsrv.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128712334234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 05:16 AM

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 06:55 AM

90 mins laters here's the two reports

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:51:04, 28/01/2006
+ Report-Checksum: 15467FAF

+ Scan result:

[1708] C:\WINDOWS\System\svchost.dll -> Backdoor.Small.jo : Cleaned with backup
[2036] C:\windows\winsysban3.exe -> Hijacker.VB.kc : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.347:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\xolrdpne.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@data3.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Dave\Cookies\dave@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Dave\h.exe -> Backdoor.Small.jo : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\!update.exe -> Downloader.PurityScan.be : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\1.qtdfmp -> Downloader.Small.aqu : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\5.qtdfmp -> Downloader.Small.awa : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\6.qtdfmp -> Downloader.Agent.adv : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\7.qtdfmp -> Downloader.Tibs.bu : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\Cookies\dave@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\iexplorer.exe -> Downloader.PassAlert.q : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\maxdd.game -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\qvxt2.game -> Downloader.Small.aqu : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\qvxt4.game -> Downloader.Small.chg : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\vx4.game -> Backdoor.Codbot.bh : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\vxt1.game -> Downloader.Small.cds : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\vxt2.game -> Downloader.Tiny.aq : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temp\vxt4.game -> Hijacker.Agent.gk : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\686HNT4G\paytime[1].txt -> Hijacker.StartPage.agp : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\686HNT4G\r42[1].exe -> Backdoor.Small.jo : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\686HNT4G\tool5[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QR8VFOL4\!update-3120[1].0000 -> Downloader.PurityScan.be : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QR8VFOL4\drsmartload[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QR8VFOL4\myupdates[1].exe -> Downloader.Adload.l : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QR8VFOL4\r4[1].exe -> Dropper.Agent.agv : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QR8VFOL4\winsysupd3[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\RI31DH7B\kl[1].txt -> Logger.Small.dg : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\RI31DH7B\tool4[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\XJZ57XVG\tool1[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\XJZ57XVG\ucmoreiex[1].exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\XJZ57XVG\ucmoreiex[1].exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\XJZ57XVG\winsysban3[1].exe -> Hijacker.VB.kc : Cleaned with backup
C:\Documents and Settings\Dave\n.exe -> Backdoor.Small.jo : Cleaned with backup
C:\Documents and Settings\Dave\r.exe -> Backdoor.Small.jo : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Logger.Agent.jo : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Agent.jo : Cleaned with backup
C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\myupdates.exe -> Downloader.Adload.l : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Small.jo : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Small.jo : Cleaned with backup
C:\WINDOWS\system32\maxd64.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msvcp.exe -> Backdoor.Codbot.bh : Cleaned with backup
C:\WINDOWS\system32\qvxgamet4.exe -> Downloader.Small.chg : Cleaned with backup
C:\WINDOWS\system32\r4.exe -> Dropper.Agent.agv : Cleaned with backup
C:\WINDOWS\system32\r42.exe -> Backdoor.Small.jo : Cleaned with backup
C:\WINDOWS\system32\vxgame4.exe -> Backdoor.Codbot.bh : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Downloader.Tiny.aq : Cleaned with backup
C:\WINDOWS\system32\vxgamet4.exe -> Hijacker.Agent.gk : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq5.exe -> Downloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> Downloader.Agent.adv : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> Downloader.Tibs.bu : Cleaned with backup
C:\WINDOWS\winsysban3.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysupd3.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
D:\My Documents\Lucky.zip/Lucky u.exe -> Not-A-Virus.Joke.Stupen.c : Cleaned with backup
D:\My Documents\My Received Files\wwwhack.zip/patch.exe -> Not-A-Virus.HackTool.WwwHack.a : Cleaned with backup
G:\Documents and Settings\Dave\My Documents\My Received Files\Messenger Plus! - Setup.exe/70000011.exe -> Downloader.Swizzor.g : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 11:53:55, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\My PC\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Dave\LOCALS~1\Temp\ebhdiflk.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\system32\igfxsrv.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128712334234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 07:13 AM

Grab a copy of this little free application to help control those tracking cookies in future:

http://www.analogx.com/contents/download/network/cookie.htm

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, find, zip and send this file:

C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll

to this e-mail address including a link to this thread in the body of the email. It may be OK but I'd like to take a closer look at it - I'll get back to you about it if any further action is required.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\DOCUMENTS AND SETTINGS\Dave\LOCAL SETTINGS\Temp\ebhdiflk.exe
    C:\windows\winsysban3.exe
    C:\WINDOWS\System\svwhost.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Dave\LOCALS~1\Temp\ebhdiflk.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)


Exit HijackThis when done. reboot, rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 08:36 AM

Daemon Thanx for all your help so far

I can't zip ur32art.dll to email to you

! ur32art.zip: Cannot open ur32art.dll
The process cannot access the file because it is being used by another process.

new Highjack log

Logfile of HijackThis v1.99.1
Scan saved at 13:35:00, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My PC\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Dave\LOCALS~1\Temp\ebhdiflk.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\system32\igfxsrv.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128712334234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 09:07 AM

HJT log doesn't look much different. Do this for me. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll

Click on the submit button. Please post the results in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 09:53 AM

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I disabled my firewall and the result is the same

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 10:16 AM

Hmmm.. I'm going to fix it unless you know what it is.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Dave\LOCALS~1\Temp\ebhdiflk.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\system32\igfxsrv.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\DOCUMENTS AND SETTINGS\Dave\LOCAL SETTINGS\Temp\ebhdiflk.exe
C:\windows\winsysban3.exe
C:\WINDOWS\system32\igfxsrv.exe
C:\WINDOWS\System\svwhost.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 11:06 AM

Daemon

I couldn't find any of these files in safe mode

C:\DOCUMENTS AND SETTINGS\Dave\LOCAL SETTINGS\Temp\ebhdiflk.exe
C:\windows\winsysban3.exe
C:\WINDOWS\system32\igfxsrv.exe
C:\WINDOWS\System\svwhost.exe

Looks like they also don't exist in the new highjack log. :-))

I also haven't had the Avast virus message "There are too many identical e-mails in appointed time
" since i reponded to your first repply.
Don't know if that what you would have expected or not.

I have no idea what C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll
does either.


Logfile of HijackThis v1.99.1
Scan saved at 15:58:54, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My PC\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128712334234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 11:12 AM

Looking better but that entry is still there. Try this. Double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following:

C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll


Check the box that says 'Unregister .dll before deleting', click the 'Delete File' button (red circle with a white X).
It will prompt you to reboot, press the YES button.

After restarting, with only HijackThis running, scan and when complete, remove the following entry by checking the box to the left and clicking 'fixed checked':

O20 - Winlogon Notify: ur32artreg - C:\Documents and Settings\All Users\Documents\Settings\ur32art.dll

Reboot again when done, rescan with HJT and post a new log here
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 11:37 AM

Daemon

It looks likes it's finally gone.

Logfile of HijackThis v1.99.1
Scan saved at 16:34:50, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My PC\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAID Manager.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128712334234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 11:57 AM

Yes, that got rid of it. How is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#13 urbanlord

urbanlord
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2006 - 12:09 PM

Daemon

At this present moment this beast seams to be behaving itself for a change ie nice and responsive.
All thx to you of course.

It's been a bad week for me due to viruses and spybots etc plus in the middle of it all my motherboard crashed (Can a virus affect a MB ??).

My previous AV software (PC Guard) didn't find some of the viruses that Avast found.

I want to protect myself now as much as possible so now have Zone alarm pro and Avast AV plus spybot SD and all these tools you've asked me to use.

hopefully I have enough!!!!

Once again thanks for your help. Donation on it's way :thumbsup:

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:33 AM

Posted 28 January 2006 - 12:14 PM

You're welcome - glad to help :thumbsup: and thanks for your support :flowers:

Unlikely the motherboard was virus related. To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users