Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alcra Worm...again! (i Think)


  • Please log in to reply
5 replies to this topic

#1 susie86

susie86

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 July 2006 - 08:12 AM

Hey guys (and girls!)

I think i am infected with the alcra worm (again!!) i think i should just get rid of limewire altogether. My Limewire keeps opening and my ctrl alr delete controls does not work. It happened last time, i just can't remember what i did. Please if someone can help as soon as possible, i would appreciate that a lot!! thanks everyone!! oh...and if anyone can tell me of a really good antispyware, and something to stop pop-ups i would really appreciate that as well. And before you ask, I'm smart and not use Internet Explorer (lol). Thanks again!!!

oh, this is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:58 PM, on 7/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\U3VlIEZhcnJvdWto\command.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\dfndrb_3.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\Free AOL & Unlimited Internet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sue Farroukh\My Documents\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VlIEZhcnJvdWto\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 July 2006 - 12:06 PM

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
==================

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· Run the application
· Click on scanner
· Click Complete System Scan and the scan will begin.
· When the scan is finished, Set all items to delete
· Apply all actions
· look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 susie86

susie86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 July 2006 - 04:04 AM

Hi,

Thanks for your help - here are my first HJT log and my ComboFix log and underneath is my HJT log. Thanks again.


Combofix Log:

Start Time= Sun 07/02/2006 18:43:12.21
Running from: C:\Documents and Settings\Sue Farroukh\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WRNotifier
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{99430C4A-B165-4D52-80FD-4619F31797D6}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{99430C4A-B165-4D52-80FD-4619F31797D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{99430C4A-B165-4D52-80FD-4619F31797D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{99430C4A-B165-4D52-80FD-4619F31797D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\arsmsext.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\iasecsvc.dll
C:\WINDOWS\SYSTEM32\wdapi.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Sue Farroukh\Application Data\Sskdmns.dll
C:\Documents and Settings\Sue Farroukh\Application Data\Sskknwrd.dll
C:\Documents and Settings\Sue Farroukh\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



18:42:07.77
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\drsmartload1.exe
C:\drsmartload45q.exe
C:\drsmartload45s.exe
C:\drsmartload46q.exe
C:\drsmartload46s.exe
C:\drsmartload849q.exe
C:\drsmartload849s.exe
C:\Mendoza1.exe
C:\dfndrb_3.exe
C:\nwnmb_3.exe
C:\kybrdb_3.exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\OPQJSXEJ\drsmartload45a[1].exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\OPQJSXEJ\drsmartload849a[1].exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\S5KV0DA5\drsmartload46a[1].exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\S5KV0DA5\drsmartload[1].exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\S5KV0DA5\Mendoza1[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\4ACXFURZ\drsmartload46a[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\501ZRAKF\drsmartload[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\501ZRAKF\dfndrb_3[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\I7E0S2F4\drsmartload45a[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\I7E0S2F4\drsmartload849a[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\U5502XR1\drsmartload[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\U5502XR1\nwnmb_3[1].exe
C:\Documents and Settings\Sue Farroukh\Local Settings\Temporary Internet Files\Content.IE5\U5502XR1\kybrdb_3[1].exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\MTE3NDI6ODoxNg.exe
C:\warebundle.exe
C:\warebundle2.exe
C:\Documents and Settings\Alia Farroukh\Local Settings\Temporary Internet Files\Content.IE5\OPQJSXEJ\MTE3NDI6ODoxNg[1].exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Program Files\snowball wars
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\U3VlIEZhcnJvdWto


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-02 18:42:08 ( .D... ) "C:\Program Files\Common Files"
2006-07-02 18:38:02 93633 ( A.SH. ) "C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
2006-07-02 18:37:58 2 ( A.... ) "C:\WINDOWS\system32\wintsvcc.exe"
2006-07-02 18:37:54 81920 ( A.... ) "C:\WINDOWS\system32\explorer.dll"
2006-07-02 18:37:54 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\??crosoft.NET"
2006-07-01 23:16:02 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-07-01 22:34:34 ( .D... ) "C:\Program Files\ipwins"
2006-07-01 16:20:42 ( .D... ) "C:\Program Files\TClock"
2006-07-01 16:20:38 ( .D... ) "C:\Program Files\InetGet2"
2006-07-01 16:19:38 81920 ( A.... ) "C:\WINDOWS\system32\cmd.dll"
2006-07-01 16:19:38 ( .D... ) "C:\Program Files\??sembly"
2006-07-01 16:18:46 ( .D... ) "C:\Program Files\Common Files\ikwm"
2006-07-01 16:17:30 578560 ( A.... ) "C:\Installer.exe"
2006-07-01 16:17:02 30208 ( A.... ) "C:\SS1001.exe"
2006-07-01 16:16:48 14848 ( A.... ) "C:\stub_113_4_0_4_0.exe"
2006-07-01 08:18:46 216936 ( A.... ) "C:\Trelew.exe"
2006-07-01 08:17:48 ( .D... ) "C:\Program Files\ToolBar888"
2006-07-01 08:17:40 ( .D... ) "C:\Program Files\Windows"
2006-07-01 08:17:40 ( .D... ) "C:\Program Files\Common Files\InetGet"
2006-06-29 23:27:30 28672 ( A.... ) "C:\WINDOWS\system32\ssconfig.exe"
2006-06-29 23:27:28 180224 ( A.... ) "C:\WINDOWS\UninstallWSST.exe"
2006-06-29 23:23:34 ( .D... ) "C:\Program Files\Goalzone"
2006-06-29 23:23:28 796672 ( A.... ) "C:\WINDOWS\GPInstall.exe"
2006-06-29 23:02:20 ( .DSH. ) "C:\Program Files\outlook"
2006-06-29 19:29:32 20480 ( A.... ) "C:\WINDOWS\system32\H@tKeysH@@k.DLL"
2006-06-29 18:57:04 ( .D... ) "C:\Program Files\Eidos Interactive"
2006-06-29 18:56:36 ( .D... ) "C:\Program Files\directx"
2006-06-29 01:12:20 139264 ( A.... ) "C:\WINDOWS\system32\uxkppte.dll"
2006-06-29 01:07:20 139264 ( A.... ) "C:\WINDOWS\system32\uxm.dll"
2006-06-27 17:05:42 ( .D... ) "C:\Program Files\Electronic Arts"
2006-06-27 17:03:44 ( .D... ) "C:\Program Files\Maxis"
2006-06-18 22:14:48 ( .D... ) "C:\Program Files\Debugging Tools for Windows"
2006-06-18 21:50:52 ( .D... ) "C:\Program Files\SUPERAntiSpyware"
2006-06-18 21:50:52 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-18 21:50:52 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\SUPERAntiSpyware.com"
2006-06-09 23:41:44 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\ICQLite(2)"
2006-06-09 13:35:30 ( .D... ) "C:\Program Files\DivX"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-05-18 23:54:50 176128 ( A.... ) "C:\WINDOWS\system32\nun.dll"
2006-05-18 23:54:50 57856 ( A.... ) "C:\WINDOWS\system32\dcomcfg.exe"
2006-05-18 23:54:50 10160 ( A.... ) "C:\WINDOWS\system32\atmclk.exe"
2006-05-18 23:54:50 5328 ( A.... ) "C:\WINDOWS\system32\dxole32.exe"
2006-05-17 11:23:38 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.DLL"
2006-05-15 23:09:36 ( .D... ) "C:\Program Files\LimeWire"
2006-05-15 00:03:22 ( .D... ) "C:\Program Files\K-litePro"
2006-05-09 23:03:48 ( .D... ) "C:\Program Files\Gluz"
2006-05-08 21:52:52 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\Google"
2006-05-08 21:52:50 ( .D... ) "C:\Program Files\Google"
2006-05-08 21:27:52 ( .D... ) "C:\Program Files\NoAds"
2006-05-07 21:34:50 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\SuperAdBlocker.com"
2006-05-07 21:34:42 ( .D... ) "C:\Program Files\SuperAdBlocker.com"
2006-05-07 21:20:28 ( .D... ) "C:\Program Files\Hijackthis"
2006-05-07 18:19:58 ( .D... ) "C:\Program Files\Webroot"
2006-05-05 21:14:42 ( .D... ) "C:\Program Files\SmartPopupBlocker"
2006-05-03 19:41:46 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-05-03 19:41:46 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-05-03 09:03:26 ( .D... ) "C:\Documents and Settings\Sue Farroukh\Application Data\PC Tools"
2006-05-03 09:01:44 58781 ( A.... ) "C:\WINDOWS\b3p.exe"
2006-04-28 06:27:16 154624 ( ..SH. ) "C:\Program Files\Common Files\Yazzle1122OinAdmin.exe"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINDOWS\system32\asuninst.exe"
2006-03-12 11:09:40 860 ( A.... ) "C:\Program Files\INSTALL.LOG"


((((((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))))))


2006-07-02 18:37 81,920 C:\WINDOWS\system32\explorer.dll
2006-07-02 18:37 139,264 C:\WINDOWS\system32\uxkppte.dll
2006-07-01 16:19 81,920 C:\WINDOWS\system32\cmd.dll
2006-07-01 16:19 2 C:\WINDOWS\system32\wintsvcc.exe
2006-07-01 16:19 139,264 C:\WINDOWS\system32\uxm.dll
2006-07-01 16:18 127,574 C:\WINDOWS\system32\tsuninst.exe
2006-07-01 16:17 578,560 C:\Installer.exe
2006-07-01 16:17 30,208 C:\SS1001.exe
2006-07-01 16:16 14,848 C:\stub_113_4_0_4_0.exe
2006-07-01 08:18 216,936 C:\Trelew.exe
2006-06-29 23:29 295,952 C:\WINDOWS\SCRANTIC.SCR
2006-06-29 23:27 28,672 C:\WINDOWS\system32\ssconfig.exe
2006-06-29 23:27 180,224 C:\WINDOWS\UninstallWSST.exe
2006-06-29 23:23 796,672 C:\WINDOWS\GPInstall.exe
2006-06-27 22:35 20,480 C:\WINDOWS\system32\H@tKeysH@@k.DLL
2006-06-27 17:05 33,792 C:\WINDOWS\NPSExec.exe
2006-06-19 09:46 364,904,448 C:\pagefile.sys
2006-05-18 23:54 57,856 C:\WINDOWS\system32\dcomcfg.exe
2006-05-18 23:54 5,328 C:\WINDOWS\system32\dxole32.exe
2006-05-18 23:54 176,128 C:\WINDOWS\system32\nun.dll
2006-05-18 23:54 10,160 C:\WINDOWS\system32\atmclk.exe


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"winlog"="winlog.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"winlog"="winlog.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sewd"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\rundll32.exe\" -vt yazb"
"Loiok"="C:\\Documents and Settings\\Sue Farroukh\\Application Data\\??crosoft.NET\\l?ass.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\WINDOWS\\System32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{}"="AutoDisc Ware"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\palmOne\\Hotsync.exe -logon"
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swdoctor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder

Completion time: Sun 07/02/2006 18:43:25.87
ComboFix ver 06.07.02 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-02.184312.txt


HJT Log (prior Ewido Scan)

Logfile of HijackThis v1.99.1
Scan saved at 6:57:58 PM, on 7/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\System32\CROSOF~1.NET\rundll32.exe
C:\Documents and Settings\Sue Farroukh\Application Data\??crosoft.NET\l?ass.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msoe.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sue Farroukh\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {7E0E9760-57D2-2159-F49C-76D5892EECCE} - C:\WINDOWS\System32\uxkppte.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Sewd] "C:\WINDOWS\System32\CROSOF~1.NET\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Loiok] C:\Documents and Settings\Sue Farroukh\Application Data\??crosoft.NET\l?ass.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 July 2006 - 09:34 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {7E0E9760-57D2-2159-F49C-76D5892EECCE} - C:\WINDOWS\System32\uxkppte.dll

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - HKCU\..\Run: [Sewd] "C:\WINDOWS\System32\CROSOF~1.NET\rundll32.exe" -vt yazb

O4 - HKCU\..\Run: [Loiok] C:\Documents and Settings\Sue Farroukh\Application Data\??crosoft.NET\l?ass.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\uxkppte.dll
C:\Program Files\outlook
C:\WINDOWS\System32\winlog.exe
C:\WINDOWS\System32\CROSOF~1.NET
C:\Documents and Settings\Sue Farroukh\Application Data\??crosoft.NET
C:\WINDOWS\system32\explorer.dll
C:\WINDOWS\system32\uxkppte.dll
C:\WINDOWS\system32\cmd.dll
C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\uxm.dll
C:\WINDOWS\system32\tsuninst.exe
C:\Installer.exe
C:\SS1001.exe
C:\stub_113_4_0_4_0.exe
C:\Trelew.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 susie86

susie86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 02 July 2006 - 07:34 PM

Hi again,
umm...i think the Limewire problem was fixed before i installed Killbox, though i got that anyway and deleted the file path you told me to - a lot of them didnt exist, but a few did. My system seems to be running well now, and i think i've managed to get rid of my spyware problem.

This is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:12 AM, on 7/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sue Farroukh\My Documents\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 July 2006 - 08:51 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O20 - AppInit_DLLs: repairs303169590.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\repairs303169590.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users