Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something On My Computer


  • This topic is locked This topic is locked
8 replies to this topic

#1 Cluelessperson

Cluelessperson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 26 June 2006 - 08:57 PM

Edit:Gah... i put this in wrong section didn't i... could someone move it to the proper section?



Well I'm stuck with something though i don't know what. Adaware and Spybot didn't clean it so i need to find out a way to get rid of it. One thing it has been doing is starting a process that took 90+% of my cpu usage every once in a while ( i think name changes every time it is created).


Putting up my Hijackthis log..

Logfile of HijackThis v1.99.1
Scan saved at 8:44:16 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Brendan\Local Settings\Application Data\e4049b87.exe
C:\PROGRA~1\COMMON~1\SKS~1\TTRIB~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [1d7cabce.exe] C:\WINDOWS\system32\1d7cabce.exe
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [e4049b87.exe] C:\WINDOWS\system32\e4049b87.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [e4049b87.exe] C:\Documents and Settings\Brendan\Local Settings\Application Data\e4049b87.exe
O4 - HKCU\..\Run: [Oabs] "C:\DOCUME~1\Brendan\APPLIC~1\ICROSO~1\msiexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Aiyejco] C:\PROGRA~1\COMMON~1\SKS~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [1d7cabce.exe] C:\Documents and Settings\Brendan\Local Settings\Application Data\1d7cabce.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\csrss.dll
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Edited by Cluelessperson, 26 June 2006 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:32 AM

Posted 27 June 2006 - 07:41 AM

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

I see you already have Ewido installed.
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
Don't run the scan yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [1d7cabce.exe] C:\WINDOWS\system32\1d7cabce.exe
O4 - HKLM\..\Run: [e4049b87.exe] C:\WINDOWS\system32\e4049b87.exe
O4 - HKCU\..\Run: [e4049b87.exe] C:\Documents and Settings\Brendan\Local Settings\Application Data\e4049b87.exe
O4 - HKCU\..\Run: [Oabs] "C:\DOCUME~1\Brendan\APPLIC~1\ICROSO~1\msiexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Aiyejco] C:\PROGRA~1\COMMON~1\SKS~1\TTRIB~1.EXE
O4 - HKCU\..\Run: [1d7cabce.exe] C:\Documents and Settings\Brendan\Local Settings\Application Data\1d7cabce.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Ignore the error you'll get when fixing the O20 entry. Just click ok there.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
In case you still are unsure how to create a reg file, take a look here with screenshots.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Documents and Settings\Brendan\Local Settings\Application Data\e4049b87.exe
C:\WINDOWS\system32\1d7cabce.exe
C:\WINDOWS\system32\e4049b87.exe
C:\Documents and Settings\Brendan\Local Settings\Application Data\1d7cabce.exe

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
  • Open Ewido...
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido
* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Reboot back into Windows normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the Ewido-log,
the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply.

Edited by miekiemoes, 27 June 2006 - 07:42 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Cluelessperson

Cluelessperson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 27 June 2006 - 08:46 PM

I can't seem to be able to save as all files here is a picture...

It doesnt like my picture so ill just put a link to it

http://community.webshots.com/photo/551582...089767628qxQcsT

Edited by Cluelessperson, 27 June 2006 - 08:47 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:32 AM

Posted 28 June 2006 - 01:42 AM

You didn't use notepad? You used wordpad to create it.. It has to be in notepad.

Anyway, if that doesn't work, skip that step and proceed with the next step. Just let me know afterwards. I'll create the regfix for you instead.

Edited by miekiemoes, 28 June 2006 - 01:43 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Cluelessperson

Cluelessperson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 28 June 2006 - 10:55 AM

It worked and i've done all of the instructions you've given so far. Now posting the texts requested.

********smitfiles.txt


smitRem © log file
version 3.0

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Wed 06/28/2006
The current time is: 9:50:56.79

Running from
C:\Documents and Settings\Brendan\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32]
@="C:\WINDOWS\system32\hvcycg.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

regperf.exe
simpole.tlb
stdole3.tlb
dcomcfg.exe
amcompat.tlb
nscompat.tlb
ld****.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

**********************Activescan.txt


Incident Status Location

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Brendan\Cookies\brendan@questionmarket[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brendan\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brendan\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brendan\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Dialer:dialer.avv Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\biC.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\conscorr.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\mmaker2.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\polall1r.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\satmat.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:Adware/Redswoosh Not disinfected C:\WINDOWS\RSEDNClientUninstaller.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:Adware/InstaFinder Not disinfected C:\WINDOWS\system32\InstaFinder_inst245.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khfdbby.dll.vir
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll


*********************Report-Scan-20060628-094928.txt (Ewido)


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:49:28 AM 6/28/2006

+ Scan result:



C:\Documents and Settings\Brendan\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\Program Files\FileSubmit\Dragon Isle\NNEZTA388.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\FileSubmit\Dragon Isle\TBEZA127Q.exe -> Adware.Quick : Cleaned with backup (quarantined).
C:\Program Files\themexp\Themexp.org File\Ezthemes_WhenUSaveNow_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Brendan\Local Settings\Temp\OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\Documents and Settings\Brendan\Local Settings\Temp\mst4E.tmp -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld10FE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld176F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld1888.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld1898.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld1A64.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld1C11.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld1D3B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld20ED.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld212.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld26B9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld27C2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld287E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld2EE5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld2FC9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld30A4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld3332.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld343.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld35A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld3789.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld38AB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld3E67.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld3F61.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld4099.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld477E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld4787.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld4A93.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld4C13.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld4DD0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld50E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld550C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5606.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5857.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5BC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5CC4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5F1C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld5F84.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld6166.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld62E7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld672C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld6CE9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld6EAF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld6FA8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld72BD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7425.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7555.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7767.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7859.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7B47.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld7BBE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld815B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld8173.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld81C1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld825.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld869B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld8C77.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld8E2B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld9086.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld90A4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld93D0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld9447.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld97D9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld9977.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld99C5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld9D7F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA1E2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA4B1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA566.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA65E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA749.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA95C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldAA6B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldACA1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldAED4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldB51D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldB73F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldB794.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldB7BB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldBDC0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldBE13.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldBE5A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldBF10.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldBF93.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldC53A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldC652.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldCBB1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldCFCF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldD1B3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldD4B7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldD7CE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldD92E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldDD25.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldE0C7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldEA3D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldECB4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldEF07.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldEFDA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldF030.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldF68.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldF911.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


********************hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 10:46:22 AM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Edited by Cluelessperson, 28 June 2006 - 10:56 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:32 AM

Posted 28 June 2006 - 11:11 AM

Your hijackthislog looks clean again. :thumbsup:

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files:

C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\biC.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\inf\mmaker2.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\inf\satmat.inf
C:\WINDOWS\kwv2.dat
C:\WINDOWS\RSEDNClientUninstaller.exe
C:\WINDOWS\satmat.ini
C:\WINDOWS\system32\InstaFinder_inst245.exe
C:\WINDOWS\system32\khfdbby.dll.vir
C:\WINDOWS\system32\xmltok.dll

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe
C:\WINDOWS\Downloaded Program Files\WildApp.inf

Go to start > run and type regsvr32 occache.dll
Click OK

Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Cluelessperson

Cluelessperson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 28 June 2006 - 04:01 PM

Since i did what you first said i havn't had much trouble. The cpu hog i think was 1d7cabce.exe ( i think that was the process' first name it was under). I just wanted to at least finish cleaning it. Thank you very much for all your help.

Edit: By the way... I'm just wondering would you be able to help me at all with an installshield wizard problem i'm having. I looked up the error code on the internet and all that came up was someone asking for help with it. The solution that was given I know for a fact has nothing to do with the problem. If you might be able to do anything about it i'll upload pictures of the error occurances.

Edited by Cluelessperson, 28 June 2006 - 04:05 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:32 AM

Posted 28 June 2006 - 04:04 PM

Well, that wasn't the only cpu hog - there were a lot of other infections present as well. But we cleaned them now :thumbsup:

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my signature.

Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:32 AM

Posted 28 June 2006 - 05:15 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users