Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Someone Take A Look At This For Me?


  • Please log in to reply
10 replies to this topic

#1 Sparda

Sparda

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 14 June 2006 - 02:27 PM

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.138.154 socks.temphost.ws
O1 - Hosts: 85.249.138.154 j006_fljkdr.fgkfps.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [8df09d03.exe] C:\WINDOWS\System32\8df09d03.exe
O4 - HKLM\..\Run: [f56eda7c.exe] C:\WINDOWS\System32\f56eda7c.exe
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [8df09d03.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [f56eda7c.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe



My main problem is that I can't delete senssrv.dll, but I'm not sure if I missed anything else. Any advice?

Edit: Can no longer change pages on Netscape. It is stuck on one page. I also forgot to mention that Spybot detected Desktop.ActiveDesktop. I'm on a laptop right now.

Edited by Sparda, 14 June 2006 - 03:47 PM.


BC AdBot (Login to Remove)

 


#2 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 14 June 2006 - 07:21 PM

Started up comp and did another HTJ scan. It looks like something changed.


Logfile of HijackThis v1.99.1
Scan saved at 5:16:43 PM, on 6/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\System32\8df09d03.exe
C:\WINDOWS\System32\f56eda7c.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\TEMP\2C50.tmp
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.138.154 socks.temphost.ws
O1 - Hosts: 85.249.138.154 j006_fljkdr.fgkfps.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [8df09d03.exe] C:\WINDOWS\System32\8df09d03.exe
O4 - HKLM\..\Run: [f56eda7c.exe] C:\WINDOWS\System32\f56eda7c.exe
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [8df09d03.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [f56eda7c.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\dbepy32.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe




Did a scan with SpyOnThis and here's the log from that:
Scan started : 6/14/2006 8:26:05 PM

Total items scanned : 24630
Objects found : 63
Objects ignored : 0

DyFuCA.Internet Optimizer object found!!!
Object: DyFuCA.Internet Optimizer
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{d8e25c53-9508-4f5c-9249-d98d438891d5}
RiskLevel: 1

F__kSite object found!!!
Object: F__kSite
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{a1dc3241-b122-195f-b21a-000000000000}
RiskLevel: 1

Online-Dialer object found!!!
Object: Online-Dialer
Class: REGKEY
Type: DOS
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{02c20140-76f8-4763-83d5-b660107b7a90}
RiskLevel: 1

Online-Dialer object found!!!
Object: Online-Dialer
Class: REGKEY
Type: DOS
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{91df007c-2f7f-4731-be1f-38c1c13ceb8b}
RiskLevel: 1

Online-Dialer object found!!!
Object: Online-Dialer
Class: REGKEY
Type: DOS
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ab1e62eb-3de3-428f-a417-64ab3c9b6cf0}
RiskLevel: 1

Online-Dialer object found!!!
Object: Online-Dialer
Class: REGKEY
Type: DOS
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{e44151c8-0c6c-4a7d-b677-4fcc9552e957}
RiskLevel: 1

HighTraffic object found!!!
Object: HighTraffic
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{53e10c2c-43b2-4657-ba29-aae179e7d35c}
RiskLevel: 1

IEMonit object found!!!
Object: IEMonit
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CE7C3CF0-4B15-11D1-ABED-709549C10001}
RiskLevel: 1

Searchex object found!!!
Object: Searchex
Class: REGKEY
Type: HOSTILE ACTIVEX
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{a116a5c1-ad77-446c-992a-f56200b112db}
RiskLevel: 1

Searchex object found!!!
Object: Searchex
Class: REGKEY
Type: HOSTILE ACTIVEX
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{b405ee45-1aa2-410d-a6cf-1a74371dcd62}
RiskLevel: 1

Aureate object found!!!
Object: Aureate
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EBBFE27C-BDF0-11D2-BBE5-00609419F467}
RiskLevel: 1

FreeScratchAndWin object found!!!
Object: FreeScratchAndWin
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{20a03a4c-9faf-45d5-a5c2-b6c49774e03c}
RiskLevel: 1

FreeScratchAndWin object found!!!
Object: FreeScratchAndWin
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{47cc4dcd-bbc9-47a3-a677-44db2559e0d8}
RiskLevel: 1

FreeScratchAndWin object found!!!
Object: FreeScratchAndWin
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5dd7b3be-fdec-4563-b038-ff80f2345b89}
RiskLevel: 1

FreeScratchAndWin object found!!!
Object: FreeScratchAndWin
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99b0b113-6f25-49c9-8ecf-2fddd3edff6a}
RiskLevel: 1

Viewpoint Toolbar object found!!!
Object: Viewpoint Toolbar
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Viewpoint
RiskLevel: 1

VX2.NetPal object found!!!
Object: VX2.NetPal
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{000e7270-cc7a-0786-8e7a-da09b51938a6}
RiskLevel: 1

VX2.NetPal object found!!!
Object: VX2.NetPal
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6085fb5b-c281-4b9c-8e5d-d2792ea30d2f}
RiskLevel: 1

VX2.NetPal object found!!!
Object: VX2.NetPal
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{c7ade150-743d-11d4-8141-00e029626f6a}
RiskLevel: 1

about_blank object found!!!
Object: about_blank
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotchbar.com
RiskLevel: 1

about_blank object found!!!
Object: about_blank
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ysbweb.com
RiskLevel: 1

Search Toolbar object found!!!
Object: Search Toolbar
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{76EC9B95-D244-41F9-A5BE-6896EFFB40CF}
RiskLevel: 6

7FaSSt object found!!!
Object: 7FaSSt
Class: REGKEY
Type: CARDING
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{06dfedaa-6196-11d5-bfc8-00508b4a487d}
RiskLevel: 1

7FaSSt object found!!!
Object: 7FaSSt
Class: REGKEY
Type: CARDING
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{669695bc-a811-4a9d-8cdf-ba8c795f261e}
RiskLevel: 1

7FaSSt object found!!!
Object: 7FaSSt
Class: REGKEY
Type: CARDING
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}
RiskLevel: 1

ShopForGood object found!!!
Object: ShopForGood
Class: REGKEY
Type: HIJACKER
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{05bbb56a-2a69-4a5c-bfda-43295dd67434}
RiskLevel: 5

180Search Assistant object found!!!
Object: 180Search Assistant
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6eb5b540-1e74-4d91-a7f0-5b758d333702}
RiskLevel: 3

EZSearching object found!!!
Object: EZSearching
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{34d516ea-40e3-4e3b-8ba8-505112738ed5}
RiskLevel: 2

Favoriteman object found!!!
Object: Favoriteman
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{000000f1-34e3-4633-87c6-1aa7a44296da}
RiskLevel: 4

Favoriteman object found!!!
Object: Favoriteman
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000ef1-0786-4633-87c6-1aa7a44296da}
RiskLevel: 4

Favoriteman object found!!!
Object: Favoriteman
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ebbd88e5-c372-469d-b4c5-1fe00352ab9b}
RiskLevel: 4

MemoryMeter object found!!!
Object: MemoryMeter
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{afdbb6d0-6b96-419c-8bc6-ff0b99368c0b}
RiskLevel: 1

xxx-toolbar object found!!!
Object: xxx-toolbar
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
RiskLevel: 1

Newtonknows object found!!!
Object: Newtonknows
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8ae10ee3-84be-4d3c-8106-7020bf3f0142}
RiskLevel: 1

Newtonknows object found!!!
Object: Newtonknows
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{e9407738-a996-421a-a309-5c93c699e10a}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2e12b523-3d4c-4fac-9b04-0376a8f5e879}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{388d7ebb-cbb9-4126-8db2-86dc6863a206}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{39af31dd-eafc-45ea-a56c-385b52e25cc0}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6b12dabb-0b7c-44fa-b0b3-4baff3790256}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{a76066c9-941b-4209-9d96-0ac80501100d}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{c389f2cf-26ed-11d5-a212-004005f6feb6}
RiskLevel: 1

InetSpeak object found!!!
Object: InetSpeak
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{d6862a22-1dd6-11d3-bb7c-444553540000}
RiskLevel: 1

eAcceleration object found!!!
Object: eAcceleration
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{459729ac-727d-4d97-b18a-72ee224efec0}
RiskLevel: 1

SCBar object found!!!
Object: SCBar
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00041a26-7033-432c-94c7-6371de343822}
RiskLevel: 1

Toolbar.bho2 object found!!!
Object: Toolbar.bho2
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{07b18ea1-a523-4961-b6bb-170de4475cca}
RiskLevel: 1

SearchMiracle.EliteBar object found!!!
Object: SearchMiracle.EliteBar
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
RiskLevel: 1

Adware.Sa object found!!!
Object: Adware.Sa
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4bcf322b-9621-4e90-9678-f1424eb7584e}
RiskLevel: 1

Click the Button object found!!!
Object: Click the Button
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ab4dd0f0-38da-4f48-aafe-7de7323bb6b2}
RiskLevel: 1

ToolbarCC object found!!!
Object: ToolbarCC
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffa2}
RiskLevel: 1

ToolbarCC object found!!!
Object: ToolbarCC
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffa7}
RiskLevel: 1

ToolbarCC object found!!!
Object: ToolbarCC
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffa8}
RiskLevel: 1

ToolbarCC object found!!!
Object: ToolbarCC
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffaf}
RiskLevel: 1

EzuLa object found!!!
Object: EzuLa
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{19dfb2cb-9b27-11d4-b192-0050dab79376}
RiskLevel: 2

EzuLa object found!!!
Object: EzuLa
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3d7247de-5db8-11d4-8a72-0050da2ee1be}
RiskLevel: 2

EzuLa object found!!!
Object: EzuLa
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3d7247e8-5db8-11d4-8a72-0050da2ee1be}
RiskLevel: 2

EzuLa object found!!!
Object: EzuLa
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{a041b850-57ad-493f-8fdc-4f1b15c0d16f}
RiskLevel: 2

eXactSearch object found!!!
Object: eXactSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{f9765480-72d1-11d4-a75a-004f49045a87}
RiskLevel: 2

EUniverse object found!!!
Object: EUniverse
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{03fde7ea-c8c4-413f-bea1-f8c1b8b39ea6}
RiskLevel: 1

eDonkey object found!!!
Object: eDonkey
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Classes\bittorrent
RiskLevel: 2

GameSpyArcade object found!!!
Object: GameSpyArcade
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:Software\GameSpy
RiskLevel: 1

Downloadware object found!!!
Object: Downloadware
Class: REGKEY
Type: HIJACKER
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{85a702ba-ea8f-4b83-aa07-07a5186acd7e}
RiskLevel: 2

Downloadware object found!!!
Object: Downloadware
Class: REGKEY
Type: HIJACKER
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{eb6afdab-e16d-430b-a5ee-0408a12289dc}
RiskLevel: 2

New.net object found!!!
Object: New.net
Class: REGKEY
Type: BROWSER HELPER OBJECT
FoundIn: HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\ActiveX Compatibility\{dd521a1d-1f98-11d4-9676-00e018981b9e}
RiskLevel: 4

Edited by Sparda, 14 June 2006 - 10:32 PM.


#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 16 June 2006 - 01:39 PM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#4 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 16 June 2006 - 06:02 PM

Due to a trojan, SpySweeper was unable to delete anything that it found. Here's the log:
********
1:06 PM: | Start of Session, Friday, June 16, 2006 |
1:06 PM: Spy Sweeper started
1:06 PM: Sweep initiated using definitions version 701
1:06 PM: Starting Memory Sweep
1:08 PM: Found Trojan Horse: trojan-backdoor-snd
1:08 PM: Detected running threat: C:\WINDOWS\system32\senssrv.dll (ID = 311188)
1:09 PM: Memory Sweep Complete, Elapsed Time: 00:03:10
1:09 PM: Starting Registry Sweep
1:09 PM: Found Adware: bravesentry
1:09 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bravesentry\ (5 subtraces) (ID = 1198509)
1:09 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\senssrv\ (4 subtraces) (ID = 1225639)
1:09 PM: Found Trojan Horse: trojan-backdoor-cyn
1:09 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\polymorphreg\ (4 subtraces) (ID = 1345619)
1:09 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\polymorphreg\ || dllname (ID = 1345620)
1:09 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\artm_newreg\ (4 subtraces) (ID = 1499383)
1:09 PM: Found Trojan Horse: trojan-backdoor-flood.mirc
1:09 PM: HKCR\chatfile\ (15 subtraces) (ID = 1505519)
1:09 PM: HKCR\irc\defaulticon\ (1 subtraces) (ID = 1505536)
1:09 PM: HKCR\irc\shell\open\command\ (1 subtraces) (ID = 1505540)
1:09 PM: HKLM\software\classes\chatfile\defaulticon\ (1 subtraces) (ID = 1505553)
1:09 PM: HKLM\software\classes\irc\defaulticon\ (1 subtraces) (ID = 1505564)
1:09 PM: HKLM\software\classes\irc\shell\ (11 subtraces) (ID = 1505566)
1:09 PM: HKU\S-1-5-21-527237240-308236825-725345543-1003\software\bravesentry\ (11 subtraces) (ID = 1198479)
1:09 PM: HKU\S-1-5-21-527237240-308236825-725345543-1003\software\microsoft\windows\currentversion\run\ || bravesentry (ID = 1199973)
1:09 PM: Registry Sweep Complete, Elapsed Time:00:00:10
1:09 PM: Starting Cookie Sweep
1:09 PM: Found Spy Cookie: yieldmanager cookie
1:09 PM: jihj@ad.yieldmanager[2].txt (ID = 3751)
1:09 PM: Found Spy Cookie: tacoda cookie
1:09 PM: jihj@anad.tacoda[2].txt (ID = 6445)
1:09 PM: Found Spy Cookie: ask cookie
1:09 PM: jihj@ask[1].txt (ID = 2245)
1:09 PM: Found Spy Cookie: atwola cookie
1:09 PM: jihj@atwola[1].txt (ID = 2255)
1:09 PM: Found Spy Cookie: belnk cookie
1:09 PM: jihj@belnk[1].txt (ID = 2292)
1:09 PM: jihj@dist.belnk[2].txt (ID = 2293)
1:09 PM: Found Spy Cookie: realmedia cookie
1:09 PM: jihj@network.realmedia[1].txt (ID = 3236)
1:09 PM: Found Spy Cookie: nextag cookie
1:09 PM: jihj@nextag[1].txt (ID = 5014)
1:09 PM: jihj@tacoda[1].txt (ID = 6444)
1:09 PM: Found Spy Cookie: burstbeacon cookie
1:09 PM: jihj@www.burstbeacon[1].txt (ID = 2335)
1:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:09 PM: Starting File Sweep
1:10 PM: Found Trojan Horse: trojan-downloader-game4all.biz
1:10 PM: artdec7.tmp (ID = 311177)
1:22 PM: pol9b52.tmp (ID = 309555)
1:33 PM: senssrv.dll (ID = 311188)
1:34 PM: Found Adware: tvmedia
1:34 PM: tvmuknwrd.dll (ID = 81759)
1:37 PM: File Sweep Complete, Elapsed Time: 00:28:05
1:37 PM: Full Sweep has completed. Elapsed time 00:31:28
1:37 PM: Traces Found: 86
1:38 PM: Removal process initiated
1:38 PM: Quarantining All Traces: trojan-backdoor-snd
2:20 PM: The Spy Communication shield has blocked access to: msupdate.info
2:20 PM: The Spy Communication shield has blocked access to: msupdate.info
2:20 PM: Processing Hosts File Alerts
2:20 PM: Fixed Hosts File entry: socks.tempservice.org
2:20 PM: Fixed Hosts File entry: socks.temphost.ws
2:20 PM: Fixed Hosts File entry: j006_fljkdr.fgkfps.com
2:21 PM: | End of Session, Friday, June 16, 2006 |
********
1:04 PM: | Start of Session, Friday, June 16, 2006 |
1:04 PM: Spy Sweeper started
1:04 PM: Your spyware definitions have been updated.
1:06 PM: | End of Session, Friday, June 16, 2006 |


HTJ Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:01:42 PM, on 6/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [8df09d03.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [f56eda7c.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\dbepy32.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Thanks for your help btw.

#5 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 16 June 2006 - 07:43 PM

Update: SpySweeper managed to delete what it found after I downloaded and ran AntiVir Guard. Here's the updated log:
********
5:06 PM: | Start of Session, Friday, June 16, 2006 |
5:06 PM: Spy Sweeper started
5:06 PM: Sweep initiated using definitions version 701
5:06 PM: Starting Memory Sweep
5:08 PM: Memory Sweep Complete, Elapsed Time: 00:02:05
5:08 PM: Starting Registry Sweep
5:08 PM: Found Adware: bravesentry
5:08 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bravesentry\ (5 subtraces) (ID = 1198509)
5:08 PM: Found Trojan Horse: trojan-backdoor-snd
5:08 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\senssrv\ (3 subtraces) (ID = 1225639)
5:08 PM: Found Trojan Horse: trojan-backdoor-cyn
5:08 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\polymorphreg\ (4 subtraces) (ID = 1345619)
5:08 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\polymorphreg\ || dllname (ID = 1345620)
5:08 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\artm_newreg\ (4 subtraces) (ID = 1499383)
5:08 PM: Found Trojan Horse: trojan-backdoor-flood.mirc
5:08 PM: HKCR\chatfile\ (15 subtraces) (ID = 1505519)
5:08 PM: HKCR\irc\defaulticon\ (1 subtraces) (ID = 1505536)
5:08 PM: HKCR\irc\shell\open\command\ (1 subtraces) (ID = 1505540)
5:08 PM: HKLM\software\classes\chatfile\defaulticon\ (1 subtraces) (ID = 1505553)
5:08 PM: HKLM\software\classes\irc\defaulticon\ (1 subtraces) (ID = 1505564)
5:08 PM: HKLM\software\classes\irc\shell\ (11 subtraces) (ID = 1505566)
5:08 PM: HKU\S-1-5-21-527237240-308236825-725345543-1003\software\bravesentry\ (11 subtraces) (ID = 1198479)
5:08 PM: HKU\S-1-5-21-527237240-308236825-725345543-1003\software\microsoft\windows\currentversion\run\ || bravesentry (ID = 1199973)
5:08 PM: Registry Sweep Complete, Elapsed Time:00:00:10
5:08 PM: Starting Cookie Sweep
5:08 PM: Found Spy Cookie: yieldmanager cookie
5:08 PM: jihj@ad.yieldmanager[2].txt (ID = 3751)
5:08 PM: Found Spy Cookie: tacoda cookie
5:08 PM: jihj@anad.tacoda[2].txt (ID = 6445)
5:08 PM: Found Spy Cookie: ask cookie
5:08 PM: jihj@ask[1].txt (ID = 2245)
5:08 PM: Found Spy Cookie: atwola cookie
5:08 PM: jihj@atwola[1].txt (ID = 2255)
5:08 PM: Found Spy Cookie: belnk cookie
5:08 PM: jihj@belnk[1].txt (ID = 2292)
5:08 PM: jihj@dist.belnk[2].txt (ID = 2293)
5:08 PM: Found Spy Cookie: realmedia cookie
5:08 PM: jihj@network.realmedia[1].txt (ID = 3236)
5:08 PM: Found Spy Cookie: nextag cookie
5:08 PM: jihj@nextag[1].txt (ID = 5014)
5:08 PM: jihj@tacoda[1].txt (ID = 6444)
5:08 PM: Found Spy Cookie: burstbeacon cookie
5:08 PM: jihj@www.burstbeacon[1].txt (ID = 2335)
5:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:08 PM: Starting File Sweep
5:21 PM: pol9b52.tmp (ID = 309555)
5:32 PM: Found Adware: tvmedia
5:32 PM: tvmuknwrd.dll (ID = 81759)
5:33 PM: File Sweep Complete, Elapsed Time: 00:24:35
5:33 PM: Full Sweep has completed. Elapsed time 00:26:53
5:33 PM: Traces Found: 82
5:38 PM: Removal process initiated
5:38 PM: Quarantining All Traces: trojan-backdoor-snd
5:38 PM: Quarantining All Traces: bravesentry
5:38 PM: Quarantining All Traces: trojan-backdoor-cyn
5:38 PM: Quarantining All Traces: trojan-backdoor-flood.mirc
5:38 PM: Quarantining All Traces: tvmedia
5:38 PM: Quarantining All Traces: ask cookie
5:38 PM: Quarantining All Traces: atwola cookie
5:38 PM: Quarantining All Traces: belnk cookie
5:38 PM: Quarantining All Traces: burstbeacon cookie
5:38 PM: Quarantining All Traces: nextag cookie
5:38 PM: Quarantining All Traces: realmedia cookie
5:38 PM: Quarantining All Traces: tacoda cookie
5:38 PM: Quarantining All Traces: yieldmanager cookie
5:38 PM: Removal process completed. Elapsed time 00:00:04
********



Did another HTJ scan afterwards and here's the log from that:
Logfile of HijackThis v1.99.1
Scan saved at 5:39:17 PM, on 6/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [8df09d03.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe
O4 - HKCU\..\Run: [f56eda7c.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\dbepy32.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Ones in bold are what I'm worried about.

Edit: Spybod S&D still keeps on picking up Desktop.ActiveDesktop.

Edited by Sparda, 16 June 2006 - 07:49 PM.


#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 17 June 2006 - 09:35 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKCU\..\Run: [8df09d03.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe

O4 - HKCU\..\Run: [f56eda7c.exe] C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe

O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\dbepy32.dll (file missing)


DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Documents and Settings\jihj\Local Settings\Application Data\8df09d03.exe

C:\Documents and Settings\jihj\Local Settings\Application Data\f56eda7c.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 17 June 2006 - 01:34 PM

Did all the steps as you listed, but KillBox was unable to delete the two files you listed for me to delete and Desktop.ActiveDesktop still keeps on showing up. Here's the HTJ log after the steps:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:40 AM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 17 June 2006 - 02:31 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 17 June 2006 - 03:11 PM

Accidently closed the report from Smitfraud the first time it popped up so I did it again. In the first one, it killed a process along the lines of vtcgame.exe. It also removed the Desktop background. Smitfraud log that I saved:
SmitFraudFix v2.61

Scan done at 13:00:16.01, Sat 06/17/2006
Run from C:\Documents and Settings\jihj\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


HTJ log from afterwards:
Logfile of HijackThis v1.99.1
Scan saved at 1:10:49 PM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\jihj\My Documents\Unzipped\hijackthis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "yahoo.com"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jihj\Application Data\Mozilla\Profiles\default\wgpay4tk.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714370170
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136714345186
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Just did a scan with Spybot and Desktop.ActiveDesktop didn't show up.

Edited by Sparda, 17 June 2006 - 03:26 PM.


#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 17 June 2006 - 03:37 PM

So are you saying things are fix, as the log is clean.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Sparda

Sparda
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 17 June 2006 - 03:39 PM

Pretty much. Thanks for your help again btw!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users