Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthislog


  • This topic is locked This topic is locked
7 replies to this topic

#1 wondurboy112

wondurboy112

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 04 April 2006 - 07:24 PM

GOD help me i did what you said but 2 files stay there BHO and come other one..this is my log

Logfile of HijackThis v1.99.1
Scan saved at 8:19:39 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PETERM~1.MAJ\LOCALS~1\Temp\Rar$EX20.437\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp78BA.tmp (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

PLEASE HELP i still get theses damn bleep sites comming through!

BC AdBot (Login to Remove)

 


m

#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:06:41 AM

Posted 05 April 2006 - 09:01 AM

Hi and welcome to BleepingComputer Posted Image

I'm Jet Ian Posted Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:06:41 AM

Posted 05 April 2006 - 09:11 AM

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. Please make sure that you follow this in the right order as I have listed.

===================================================

Your HijackThis is still in a .zip file. Having HJT zipped, it can't create backups, so we must delete this .zip file and re-install HJT again. To do that, please follow the instructions below:
  • Please delete your old copy of HijackThis.
  • Download HijackThis (self-extracting) to your Desktop.
  • Double-click the file, then click the Unzip button.
  • Close the window afterwards.
Your HijackThis is now in a permanent folder, and can save backups safely. Please remember that it is now saved in C:\Program Files\HijackThis\

===================================================

Download ATF Cleaner
  • Save it to your Desktop. We will use this later.
Download smitRem.exe
  • Save it to your desktop.
  • Extract the file to its own folder.
Download Ewido Anti-Malware
  • Install Ewido.
  • When installing, under Additional Options, uncheck:
    • Install background guard
    • Install scan via context menu
  • Launch Ewido.
  • The program will now open the main screen.
  • You will need to update ewido to the latest definition files
    • On the left hand side of the main screen click update.
    • Then click on the Start Update button.
  • The update will start and a progress bar will show the updates being installed.
  • After it has finished, close Ewido, we will use it later.
  • If you are having problems with the updater, you can use this link to manually update ewido » Ewido manual updates.
===================================================

Boot into Safe Mode. Please restart your computer and as soon as it starts to boot, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

===================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp78BA.tmp (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

===================================================

Run smitRem

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

===================================================

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

===================================================

Run Ewido
  • Open Ewido.
  • Click on scanner at the left side, then click on Complete System Scan.
    • Please don't use the computer while scanning
    • Sometimes Ewido reports legit files as malware, so you need to Remove these one-by-one, if you see a legit file being reported, just select None.
  • Once the scan has completed, click the button located on the bottom of the screen named Save report.
  • Save the report as .txt file to your Desktop.
  • Close Ewido.
===================================================

Restart your computer

===================================================

Post a new HijackThis log with - Ewido log and smitRem log (C:\smitfiles.txt).
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#4 wondurboy112

wondurboy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 07 April 2006 - 09:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:36:30 AM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PETERM~1.MAJ\LOCALS~1\Temp\Rar$EX00.937\HijackThis.exe

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

My smit files i have miss located =( or i didnt save them...sorry...
Thank you so much though i really reall appreciate it..it was ruining game play and everything. i got that by trying to update java you know. That kinda angers me. Thank you for giveing me your time and efforts it helped! [b]THANK YOU

#5 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:06:41 AM

Posted 07 April 2006 - 10:32 AM

Check the smitRem log if it's there:

C:\smitfiles.txt

Post that if you found it.

Also, how about the Ewido log? You didn't post it. Please post it on your next reply.

You also disabled some startup entries with MSConfig, we need to see them because sometimes they can be malware. Follow these:

Click Start > Run > type: msconfig > OK
Select Normal Startup - load all devices drivers and services, then click OK at the bottom. When it asks you to restart your computer, answer NO.

Then open HJT and run a scan and save the log file and post it here, along with the Ewido log. And the smitRem log if you found it.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#6 wondurboy112

wondurboy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 07 April 2006 - 07:31 PM

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 04/06/2006
The current time is: 20:54:13.76

Running from
C:\Documents and Settings\Peter Majka.MAJKA\Desktop\smit\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE

Logfile of HijackThis v1.99.1
Scan saved at 7:39:24 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PETERM~1.MAJ\LOCALS~1\Temp\Rar$EX00.609\HijackThis.exe

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:26:51 PM, 4/7/2006
+ Report-Checksum: 923D78A7

+ Scan result:

C:\RECYCLER\S-1-5-21-1417001333-1958367476-725345543-1004\Dc1\Local Settings\Temp\alchem.cab/alchem.exe -> Downloader.Alchemic : Ignored
C:\RECYCLER\S-1-5-21-1417001333-1958367476-725345543-1004\Dc2\Local Settings\Temp\THI3000.tmp\twaintec.cab/twaintec.dll -> Adware.BiSpy : Ignored
C:\RECYCLER\S-1-5-21-1417001333-1958367476-725345543-1004\Dc2\Local Settings\Temp\THI3000.tmp\twaintec.cab/preInsTT.exe -> Adware.BiSpy : Ignored
C:\RECYCLER\S-1-5-21-1417001333-1958367476-725345543-1004\Dc2\Local Settings\Temp\THI3000.tmp\twaintec.cab/polall1t.exe -> Downloader.Agent.ae : Ignored
:mozilla.30:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Peter Majka.MAJKA\Application Data\Mozilla\Firefox\Profiles\pemo9ynl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010711.exe -> Dropper.PurityScan.e : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010712.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010713.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010714.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010715.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010716.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010717.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010718.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010719.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010720.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010721.exe -> Adware.PowerScan : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010722.exe -> Downloader.Alchemic : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010723.EXE -> Adware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010724.exe -> Adware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010725.exe -> Downloader.IstBar.fm : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010726.exe -> Dropper.PurityScan.q : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010727.exe -> Downloader.Dyfuca.bq : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010728.exe -> Adware.PowerScan : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010729.exe -> Downloader.PurityScan.b : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010730.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010731.exe -> Downloader.Small.qd : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010732.exe -> Downloader.Agent.df : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010733.EXE -> Adware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010734.exe -> Adware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010735.dll -> Downloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010736.exe -> Downloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010737.exe -> Dropper.PurityScan.q : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010738.exe -> Downloader.IstBar.bo : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010739.dll -> Adware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010740.exe -> Adware.BlazeFind : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010741.exe -> Adware.PowerScan : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010742.exe -> Adware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010743.exe -> Trojan.Scapur.a : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010744.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010745.exe -> Downloader.PurityScan.b : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010746.exe -> Downloader.Agent.ae : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010747.exe -> Adware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010748.dll -> Adware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010749.dll -> Adware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010750.exe -> Adware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010751.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010752.REG -> Trojan.LowZones.a : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010753.tlb -> Downloader.Zlob.ke : Cleaned with backup
C:\System Volume Information\_restore{75AF64DB-39D2-49D1-97EA-B53079146322}\RP219\A0010754.exe -> Downloader.Small.qd : Cleaned with backup


::Report End


tere ya go ...and again thank you oo so very uch!

#7 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:06:41 AM

Posted 08 April 2006 - 02:45 AM

Good, thanks for finding the logs. Let's start.

=====================================

Move HijackThis

Your HJT is not in a permanent folder. We need to move it, please follow these steps:
  • Click Start » Run » ( type: C:\Program Files ) » OK.
  • A window will open.
  • Click File » New » Folder. ( name it HJT or any of your choice )
  • Move HJT files in this folder.
The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

=====================================

You have both Viewpoint and Weatherbug, and we recommend those programs to be removed because of:

WeatherBug is a system tray icon that offers weather information and includes built-in ads. WeatherBug is controlled by AWS Convergence Technologies (weatherbugmedia.com).
There is some controversy over whether WeatherBug should be targeted by anti-parasite software. AWS strongly deny their software is ‘spyware’, and by the definition used here, it is not, as it does not leak information back to its controlling servers.
However, WeatherBug has in the past been silently installed by the FavoriteMan parasite and Freeze.com screensavers, and more recently has been bundled by software such as AIM and Blubster. This makes it ‘unsolicited’, and since it is installed to raise money for its creators through the built-in ads it is certainly ‘commercial’. So it does meet the definition for ‘parasite’: unsolicited commercial software. It is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately.
WeatherBug bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer.


Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto-updating for the Viewpoint Manager" -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


This is optional, so it is up to you if you want to remove it or to leave it. Just the instructions with (*) if you don't want to remove them.

* Click Start » Control Panel » Add/Remove Programs, and then Uninstall these programs (if present): Viewpoint
Weatherbug

* Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1


* After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

Find and delete these folders:

C:\Program Files\AWS\
C:\Program Files\Viewpoint\

=====================================

Please empty your Recycle Bin.

=====================================

Run an online scan at Kaspersky
  • Please go here to run Kaspersky Online Virus Scanner.
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan, select My Computer.
[*]This will scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save as Text button, and save it to your Desktop.
[*]Copy and paste that information in your next post.
[/list]=====================================

Then please post these logs:
  • Kaspersky
  • HJT log (new)

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#8 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:06:41 AM

Posted 16 April 2006 - 06:58 AM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Jet Ian
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users