Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hyjack Log Drivecleaner 2006


  • This topic is locked This topic is locked
24 replies to this topic

#1 Dubbmeister

Dubbmeister

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 19 April 2007 - 12:21 PM

Index % of PCs with item Code Data
1 0.0% O14 START_PAGE_URL=http://start.home.nl/
2 4.6% O2 AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
3 1.1% O2 ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
4 1.1% O2 EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
5 0.0% O2 MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll
6 2.2% O22 Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\System32\browseui.dll
7 2.2% O22 Cache-daemon voor onderdeelcategorie�n - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\System32\browseui.dll
8 16.9% O23 Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
9 16.3% O23 InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
10 11.0% O23 ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
11 4.2% O23 LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
12 1.8% O23 Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
13 1.7% O23 Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
14 1.3% O23 McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
15 0.6% O23 Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
16 0.4% O23 PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
17 0.4% O23 PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
18 0.0% O23 Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
19 0.0% O23 Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
20 1.1% O3 EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
21 0.0% O3 MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll
22 56.4% O4 [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
23 37.7% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
24 37.2% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
25 24.5% O4 [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
26 15.2% O4 [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
27 15.0% O4 [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
28 12.9% O4 [SoundMan] SOUNDMAN.EXE
29 5.4% O4 [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
30 3.9% O4 Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
31 3.8% O4 [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
32 2.1% O4 [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
33 2.1% O4 [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
34 1.7% O4 [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
35 1.5% O4 [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
36 1.0% O4 [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
37 0.9% O4 [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
38 0.9% O4 [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
39 0.8% O4 InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
40 0.8% O4 [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
41 0.5% O4 [ares] "C:\Program Files\Ares\Ares.exe" -h
42 0.4% O4 Adobe Gamma Loader.lnk = ?
43 0.1% O4 WG111v2 Smart Wizard Wireless Setting.lnk = ?
44 0.1% O4 [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
45 0.1% O4 [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
46 0.0% O4 [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
47 44.5% O9 Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
48 43.8% O9 Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
49 2.4% O9 (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
50 87.7% P01 C:\WINDOWS\Explorer.EXE
51 85.6% P01 C:\WINDOWS\system32\svchost.exe
52 85.6% P01 C:\WINDOWS\system32\lsass.exe
53 85.5% P01 C:\WINDOWS\system32\winlogon.exe
54 85.5% P01 C:\WINDOWS\system32\services.exe
55 85.4% P01 C:\WINDOWS\System32\smss.exe
56 82.2% P01 C:\WINDOWS\system32\spoolsv.exe
57 59.6% P01 C:\WINDOWS\system32\ctfmon.exe
58 21.0% P01 C:\WINDOWS\system32\Ati2evxx.exe
59 15.5% P01 C:\Program Files\MSN Messenger\MsnMsgr.Exe
60 12.3% P01 C:\Program Files\Mozilla Firefox\firefox.exe
61 12.1% P01 C:\WINDOWS\SOUNDMAN.EXE
62 5.5% P01 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
63 4.3% P01 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
64 3.5% P01 C:\Program Files\DAEMON Tools\daemon.exe
65 1.9% P01 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
66 1.8% P01 C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
67 1.8% P01 C:\Program Files\Network Associates\VirusScan\Mcshield.exe
68 1.7% P01 C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
69 1.6% P01 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
70 1.1% P01 C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
71 0.7% P01 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
72 0.7% P01 C:\Program Files\Common Files\Teleca Shared\Generic.exe
73 0.7% P01 C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
74 0.6% P01 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
75 0.5% P01 C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
76 0.3% P01 C:\WINDOWS\system32\PnkBstrA.exe
77 0.1% P01 C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
78 0.1% P01 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
79 0.1% P01 C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
80 0.0% P01 C:\Documents and Settings\Ralph\Bureaublad\HiJackThis_v2.exe
81 2.2% R0 HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
82 0.1% R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
83 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home

can someone tell me wotts wrong here?

BC AdBot (Login to Remove)

 


#2 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 19 April 2007 - 12:42 PM

just did smitfraudfix; here is the result:

SmitFraudFix v2.171

Scan done at 19:31:01,28, do 19-04-2007
Run from C:\Documents and Settings\Ralph\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5889D01D-62CD-4259-916B-A9D89E771141}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5889D01D-62CD-4259-916B-A9D89E771141}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5889D01D-62CD-4259-916B-A9D89E771141}: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#3 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 19 April 2007 - 12:44 PM

can someone help me out, i dont have any drivecleaner pop ups yet but wanna see of its complete gone.

#4 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 20 April 2007 - 07:19 AM

and no reply so far... can someone take a look?

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 21 April 2007 - 09:44 AM

Hi,

We surely want to help you, but for that you need to post the right logs.
You posted the Hijackthis-Analyze results log, we don't need that log. We need a HijackThislog.

So scan with HijackThis and click the Save log button below and paste it in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 22 April 2007 - 07:44 AM

ha n belske, here a log, i hope u can help me cause i still have those drivecleane 2006 pop ups!

Logfile of HijackThis v1.99.1
Scan saved at 14:40:36, on 22-4-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Ralph\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...bca9acc387e48ea
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 22 April 2007 - 09:54 AM

Hello,

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.rar
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 22 April 2007 - 12:05 PM

This is the log from combofix

"Ralph" - 07-04-22 18:57:48 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Program Files\Mozilla Firefox\


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-22 18:52 <DIR> d-------- C:\Program Files\HJT
2007-04-22 15:35 <DIR> dr-h----- C:\DOCUME~1\Ralph\Onlangs geopend
2007-04-21 10:57 <DIR> d-------- C:\DOCUME~1\Ralph\DoctorWeb
2007-04-21 10:45 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 10:37 <DIR> d-------- C:\WINDOWS\pss
2007-04-16 20:31 <DIR> d-------- C:\Program Files\RogueRemover
2007-04-16 18:28 <DIR> d-------- C:\VundoFix Backups
2007-04-14 09:20 <DIR> d-------- C:\!KillBox
2007-04-14 08:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-14 08:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-14 08:31 <DIR> d-------- C:\DOCUME~1\Ralph\APPLIC~1\Lavasoft
2007-04-06 18:13 1,168 --a------ C:\WINDOWS\mozver.dat
2007-04-06 17:58 0 --a------ C:\WINDOWS\nsreg.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-21 11:33 -------- d-------- C:\Program Files\electronic arts
2007-04-19 19:53 -------- d-------- C:\Program Files\ares
2007-04-19 19:31 3510 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-10 20:01 -------- d-------- C:\DOCUME~1\Ralph\APPLIC~1\xfire
2007-04-10 19:11 99904 --a------ C:\WINDOWS\system32\pnkbstrb.exe
2007-04-10 19:11 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-04-10 19:08 -------- d---s---- C:\Program Files\xfire
2007-03-25 19:53 69380 --a------ C:\WINDOWS\system32\perfc013.dat
2007-03-25 19:53 442004 --a------ C:\WINDOWS\system32\perfh013.dat
2007-03-18 16:48 -------- d-------- C:\Program Files\logs
2007-03-18 00:42 63040 --a------ C:\WINDOWS\system32\pnkbstra.exe
2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 17:39 579072 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:39 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:39 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:37 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 22:20 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"EPSON Stylus D68 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAAE.EXE /P23 \"EPSON Stylus D68 Series\" /O6 \"USB001\" /M \"Stylus D68\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MsgCenterExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\RealOneMessageCenter.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\NEROPH~2\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{54a795e7-593b-11da-9fb6-00112fba43d3}]
Shell\AutoRun\command F:\Autorun.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 19:00:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22 19:00:31
C:\ComboFix-quarantined-files.txt ... 07-04-22 19:00

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 22 April 2007 - 12:37 PM

I don't see anything suspicious here though...
You said previously:

i dont have any drivecleaner pop ups yet but wanna see of its complete gone

So that should be gone. I see you already used Vundofix previously.

Delete next file:

C:\WINDOWS\system32\tmp.reg

and next folder:

C:\VundoFix Backups <== we don't need the backups present in here anyway.


Check and fix next entry in HIjackThis:

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...bca9acc387e48ea

Let me know in your next reply how things are.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 22 April 2007 - 12:55 PM

i cant remove

C:\WINDOWS\system32\tmp.reg

how do i do this?

and i have moved the other things.

Problem was that the pop-ups just came back so therefor my question

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 22 April 2007 - 01:30 PM

Not sure what you are trying to do here though. I don't see why you cannot remove tmp.reg and I don't understand what you have been "moving"

Anyway, do next..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\tmp.reg

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Do you get that popup when you visit a certain site?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 23 April 2007 - 03:06 AM

yes, exactly, im only getting this message when visiting my own site:

www.freewebs.com/lightspeed-rc

tonight from work i will follow your instructions and post them here.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 23 April 2007 - 03:34 AM

Yes, that's what I thought you got it when visiting a certain site. And it's indeed your site generating these popups, since I get them as well - so nothing wrong with your computer, it's your site.
You use the www.freewebs.com domain for your site which adds extra javascripts.
I think it's mainly the freewebs toolbar present there generating these popups
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Dubbmeister

Dubbmeister
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 23 April 2007 - 04:30 AM

ok thanx for the help and if i get foulty messages again i will post this asap.

grts Ralph

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 23 April 2007 - 04:33 AM

Hi,

As long as you visit your own site, hosted by www.freewebs.com, you'll always get these popups. There's nothing we can change about that - because this has nothing to do with your computer, but with the site.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users