Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Spyware Quake Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 mkcrturner

mkcrturner

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 12 July 2006 - 01:50 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:44:58 PM, on 7/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\atmclk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0162E8AA-E36D-1D0C-F70F-2EDC3C356E6F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {0A3AB6D9-A304-3126-59E6-4BD67030EB47} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {10E53652-8F73-76F0-CE5C-270F239631E8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15DAAC93-F8D1-35BC-2B6D-48157AB55978} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {164BE485-E9B5-3C7C-1414-199F5952DC64} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {21114C77-0212-1D5C-7066-4D784F632C23} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {22F8BE38-E849-1088-B621-3343135C53B8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {230D23DB-276F-6AE0-A793-361D6A2FD4E6} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {27CA6854-D634-2E98-5196-1F9C5A1E2E24} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2816D354-1956-12D8-701B-060B6447415D} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2857B0EC-A643-5D7A-F19B-56F24929D423} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2C918228-2B3E-7C94-95DA-2101657EB81A} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2CE3F91B-EFCF-61BD-9796-5277218630D7} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2DE17DC5-0199-3A34-4011-273160B98FC8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {30C1A8A7-17A1-0783-79CD-4C042850FA59} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {33883807-7D3C-5B63-D51F-5516218C1C2C} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3470B214-816C-6862-E6D1-7AFC72FB73C9} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {379926F9-1184-760E-88DE-014D2A2F5F09} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E33E624-3B88-15A5-B63A-77082576050C} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E58EE44-4E9F-4833-DB4B-63F518F25AB4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E8F55B2-0D88-3DC7-806C-06205CCBC0DD} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {4312FD46-D036-1671-D710-7966313829C5} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {43F32C16-359B-3E4D-3272-500821135711} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {47BAFC9C-8E6E-69BA-898B-17D524060BEB} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {48C4BB14-1EA8-7D93-D519-090B59B2334F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {4C6C2038-CCA8-5A7F-6421-0EC7574CDD52} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {501740C6-F69C-53B1-E04F-2B422B2CB428} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {55522B4A-FD8A-5C14-9A36-0D3D733ACF35} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {56FE464D-0C9E-6AFC-040E-2DAE69175368} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {5C723BCF-671A-485A-11E9-4B0B6B71E578} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61AF9530-E860-3BD1-2134-78431FC104A2} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6293CE64-CBF6-2C69-C59C-0B2419068F47} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123652350140
O16 - DPF: {6823C57A-512A-765A-CBC7-2156077F241F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6CA8F1C3-D6E7-261C-04F2-795E6D230CE8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {70D2C110-377B-0D4C-91F3-7A3F170B62EF} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {71582683-681B-07DC-022F-75955EE50408} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {75924230-B4EF-12F2-3F46-6E3E71058267} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {79CF99A8-E27A-5FED-08BB-2C27425BD916} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {7D837F67-9B9C-6558-8617-5F144A37FE4E} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {7E2806DB-F16C-45C8-E685-42904C7A39E2} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINNT\system32\jevtxpg.dll (file missing)
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 July 2006 - 10:55 PM

Hi,

Welcome to BleepingComputer. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a BleepingComputer Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 July 2006 - 10:18 PM

The following is optional; however, any time your are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use. At the VERY LEAST, please refrain from using any p2p programs while we are cleaning your computer:

Please remove these entries from Add or Remove Programs in the Control Panel(if present):

BitTorrent

Please note any other programs that you dont recognize in that list in your next response

(an easy way to get to Add or Remove programs is to go to start-->run and type appwiz.cpl)

***************************************

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***************************************

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O16 - DPF: {0162E8AA-E36D-1D0C-F70F-2EDC3C356E6F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {0A3AB6D9-A304-3126-59E6-4BD67030EB47} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {10E53652-8F73-76F0-CE5C-270F239631E8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {15DAAC93-F8D1-35BC-2B6D-48157AB55978} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {164BE485-E9B5-3C7C-1414-199F5952DC64} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {21114C77-0212-1D5C-7066-4D784F632C23} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {22F8BE38-E849-1088-B621-3343135C53B8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {230D23DB-276F-6AE0-A793-361D6A2FD4E6} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {27CA6854-D634-2E98-5196-1F9C5A1E2E24} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2816D354-1956-12D8-701B-060B6447415D} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2857B0EC-A643-5D7A-F19B-56F24929D423} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2C918228-2B3E-7C94-95DA-2101657EB81A} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2CE3F91B-EFCF-61BD-9796-5277218630D7} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {2DE17DC5-0199-3A34-4011-273160B98FC8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {30C1A8A7-17A1-0783-79CD-4C042850FA59} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {33883807-7D3C-5B63-D51F-5516218C1C2C} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3470B214-816C-6862-E6D1-7AFC72FB73C9} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {379926F9-1184-760E-88DE-014D2A2F5F09} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E33E624-3B88-15A5-B63A-77082576050C} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E58EE44-4E9F-4833-DB4B-63F518F25AB4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3E8F55B2-0D88-3DC7-806C-06205CCBC0DD} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {4312FD46-D036-1671-D710-7966313829C5} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {43F32C16-359B-3E4D-3272-500821135711} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {47BAFC9C-8E6E-69BA-898B-17D524060BEB} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {48C4BB14-1EA8-7D93-D519-090B59B2334F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {4C6C2038-CCA8-5A7F-6421-0EC7574CDD52} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {501740C6-F69C-53B1-E04F-2B422B2CB428} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {55522B4A-FD8A-5C14-9A36-0D3D733ACF35} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {56FE464D-0C9E-6AFC-040E-2DAE69175368} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {5C723BCF-671A-485A-11E9-4B0B6B71E578} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {61AF9530-E860-3BD1-2134-78431FC104A2} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6293CE64-CBF6-2C69-C59C-0B2419068F47} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6823C57A-512A-765A-CBC7-2156077F241F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {6CA8F1C3-D6E7-261C-04F2-795E6D230CE8} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {70D2C110-377B-0D4C-91F3-7A3F170B62EF} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {71582683-681B-07DC-022F-75955EE50408} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {75924230-B4EF-12F2-3F46-6E3E71058267} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {79CF99A8-E27A-5FED-08BB-2C27425BD916} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {7D837F67-9B9C-6558-8617-5F144A37FE4E} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {7E2806DB-F16C-45C8-E685-42904C7A39E2} - http://85.255.113.214/1/gdnUS2218.exe
O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINNT\system32\jevtxpg.dll (file missing)
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

***************************************

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

***************************************

After reboot,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
In your next post, please include
  • smitfraudfix log
  • panda log
  • new hijackthis log
*also let me know how your computer is running at the moment and if any problems persist.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 mkcrturner

mkcrturner
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 July 2006 - 02:42 PM

Thanks for the reply agrarianmonk, I will get to work on the fix today. I have been AFK for a bit due to the passing of my dad.
I'll post all the info I have after I work on the list you gave me.

#5 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 July 2006 - 03:14 PM

I'm very sorry for your loss. Please take as much time as you need. I'll be here waiting when you have time to work on fixing your computer.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 mkcrturner

mkcrturner
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 July 2006 - 05:01 PM

Here goes, I have no idea what he has done in the meantime. I HOPE staying off P2P. Computer still has random pop ups, not nearly as bad as it was before. Thanks for any help.

smitfraudfix log:
SmitFraudFix v2.75b

Scan done at 16:02:49.40, Wed 07/26/2006
Run from C:\Documents and Settings\Mark Turner\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


panda log:
Incident Status Location

Potentially unwanted tool:Application/Zango Not disinfected c:\program files\zango\zango.exe
Potentially unwanted tool:Application/Zango Not disinfected c:\program files\zango\zangohook.dll
Potentially unwanted tool:application/zango Not disinfected c:\winnt\downloaded program files\ClientAX.dll
Adware:adware/azesearch Not disinfected c:\winnt\system32\azebar.xml
Adware:adware program Not disinfected c:\winnt\system32\d3fk32.exe
Adware:adware/searchaid Not disinfected c:\winnt\system32\sdkam32.exe
Adware:adware/powersearch Not disinfected c:\winnt\system32\stlb2.xml
Adware:adware/ieplugin Not disinfected c:\winnt\kwv2.dat
Spyware:spyware/new.net Not disinfected c:\winnt\NDNuninstall6_98.exe
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Default User\Cookies\system@c.goclick[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Default User\Cookies\system@kount[1].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Default User\Cookies\system@mysearch[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Default User\Cookies\system@webpower[2].txt
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4NI1QXGT\installs[1].htm
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4NI1QXGT\v2cab[1].cab[v2.dll]
Spyware:Spyware/Bridge Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\8LYBCDQR\CAYF45IN.htm
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GVTGFYCH\ctxad-202[1].0000[NDrv.dll]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.c5.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.outster.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mark Turner\Application Data\Mozilla\Firefox\Profiles\wtg96kea.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@2o7[2].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@counter.hitslink[2].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@malwarewipe[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@perf.overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Mark Turner\Cookies\mark turner@statse.webtrendslive[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark Turner\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark Turner\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\NPROTECT\00801979.TXT
Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\NPROTECT\00801980.TXT
Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\NPROTECT\00801981.TXT
Spyware:Cookie/FastClick Not disinfected C:\RECYCLER\NPROTECT\00802165.TXT
Spyware:Cookie/FastClick Not disinfected C:\RECYCLER\NPROTECT\00802166.TXT
Spyware:Cookie/SpyLog Not disinfected C:\RECYCLER\NPROTECT\00802377.TXT
Spyware:Cookie/HotLog Not disinfected C:\RECYCLER\NPROTECT\00802378.TXT
Spyware:Cookie/SpyLog Not disinfected C:\RECYCLER\NPROTECT\00802388.TXT
Spyware:Cookie/HotLog Not disinfected C:\RECYCLER\NPROTECT\00802389.TXT
Spyware:Cookie/WUpd Not disinfected C:\RECYCLER\NPROTECT\00802649.TXT
Spyware:Cookie/WUpd Not disinfected C:\RECYCLER\NPROTECT\00802659.TXT
Spyware:Cookie/TargetSaver Not disinfected C:\RECYCLER\NPROTECT\00802711.TXT



new hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 5:54:47 PM, on 7/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\program files\zango\zango.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67F587D40293CCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123652350140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#7 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 July 2006 - 05:07 PM

Open HijackThis, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 mkcrturner

mkcrturner
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 July 2006 - 06:21 PM

3ds max 6
3ds max 6 Architectural Materials
3ds max 6 Reference Files
3ds max 6 Sample Files
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AKAI professional PitchRight v1.01-OxYGeN
Antares Autotune DX v4.12
Antares Microphone Modeler DX v1.32
Antares Tube v1.0
AutoCAD 2004
AutoCAD Express Tools Volumes 1-9
Autodesk Architectural Desktop 2004
Autodesk Express Viewer
Autodesk Revit 6.1
avast! Antivirus
Baldur's Gate™ II - Shadows of Amn™
Band-in-a-Box 2005
BearShare
Bluebeam Pushbutton Plus for AutoCAD v3.5.2
character studio 4.2
CloneCD
Cool Edit Pro 2.0
Cucusoft MPEG/AVI to DVD/VCD/SVCD/MPEG Converter Pro 5.07
CueClub
CyberScrub Professional 3.5
DivX
DivX ;-) Audio Compressor 4.02
DivX Converter
DivX Player
DivX Web Player
DSound Stomp`n FX Vol.1 v1.5
DSound Stomp'n FX Vol.2 v1.0
DVD Shrink 3.2
DVD Solution
DVD43 v3.8.0
EnterNet 300
GEAR Software Drivers
HijackThis 1.99.1
IK Multimedia Amplitube v1.3
InCD
iTunes
iZotope Ozone DX Plugin v1.0.0.6
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Lexicon PSP 42 VST DX v1.0
Literauto Buddy 2.40
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
MAGIX Media Manager silver
MAGIX mp3 maker 2004 diamond
McAfee SecurityCenter
McAfee SpamKiller
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Professional
Microsoft VGX Q833989
Microsoft Windows Journal Viewer
Mozilla Firefox (1.0)
Multimedia Launcher
Native Instruments Guitar Rig v1.0.0.2
Nero OEM
Nomad Factory Blue Tubes Bundle v2.0
Nomad Factory Liquid Bundle VST v1.6
Nomad Factory Rock Amp Legends VST v1.0
NVIDIA Display Driver
NVIDIA Drivers
Panda ActiveScan
PCI Audio Driver
PG Music DirectX Plugins 1.3.3.1
PowerDVD
PowerProducer
PrimoPDF
PSP 84 v1.0
QuickTime
RealPlayer
ReValver
SafeCast Shared Components
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
SketchUp 4.0
SpinAudio 3DDelays 1.0
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steinberg Nuendo
Steinberg Nuendo v2.2.0.33
Steinberg VoiceMachine v1.0
TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime
Timeworks ReverbX
Tonka Search and Rescue
Toy Story 2 Activity Center
Update Rollup 1 for Windows 2000 SP4
Virgin Digital Player
Warp VST V1.0
Waves C4 Multiband Parametric Processor
Waves Diamond Bundle 4.05
Window Washer 5
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix (SP5) Q818043
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
X-Wing Alliance (RAZOR 1911)
Yahoo! Address AutoComplete
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar with Pop-Up Blocker
Zango Search Assistant
ZoneAlarm

#9 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 July 2006 - 06:31 PM

Please remove these entries from Add or Remove Programs in the Control Panel(if present):

SafeCast Shared Components
Zango Search Assistant
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6

The following are optional; however, any time your are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use. At the VERY LEAST, please refrain from using any p2p programs while we are cleaning your computer.

BearShare

(A list compiled by Nexus7 of clean and infected P2P programs can be found here

Please note any other programs that you dont recognize in that list in your next response

(an easy way to get to Add or Remove programs is to go to start-->run and type appwiz.cpl)

***************************************

Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67F587D40293CCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

***************************************

Next, we need to Reveal Hidden Files

1. Click Start.
2. Open My Computer.
3. Select Tools menu
4. Click Folder Options.
5. Select the View Tab.
6. Select Show hidden files and folders in the Hidden files and folders section.
7. Uncheck Hide protected operating system files (recommended) option.
8. Uncheck the Hide file extensions for known file types option.
9. Click Yes.
10. Click OK.

***************************************

Using Windows Explorer/My Computer, please delete the following files/folders if still present:

c:\program files\zango\ << folder
c:\winnt\downloaded program files\ClientAX.dll << file
c:\winnt\system32\azebar.xml << file
c:\winnt\system32\d3fk32.exe << file
c:\winnt\system32\sdkam32.exe << file
c:\winnt\system32\stlb2.xml << file
c:\winnt\kwv2.dat << file
c:\winnt\NDNuninstall6_98.exe << file
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll << file

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
[b]reboot


Download and install the newest version from here.

Then, post a new hijackthis; also let me know how your PC is behaving :thumbsup:
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 mkcrturner

mkcrturner
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 July 2006 - 08:09 PM

I recognize all programs in the add/remove programs list.
computer running much better, here is my new hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 9:06:18 PM, on 7/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123652350140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{374DA8C4-4124-41D3-93C1-5312602D853C}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#11 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 July 2006 - 08:12 PM

Congratulations, your log looks clean! Are you having any other problems?

If not, we have just a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
It's also a good idea to Flush your System Restore points after ridding yourself of malware:
  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!


(Please respond to this thread one more time so we can mark this thread as resolved.)
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 07 August 2006 - 04:17 AM

Since this issue appears to be resolved ... this Topic has been closed.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users