1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

www.topsecurity.net help please... =(

Discussion in 'Windows - Virus and spyware problems' started by allancth, Jun 16, 2006.

  1. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hello.... This is the rapport.txt after I have run the SmitfraudFix.cmd. Even though now my IE doesn't has its default site set to www.topsecurity.net, but sometimes there are pop ups. Please help me. I know that my PC is still infected by malicious softwares. Thanks.

    ---------------------------------------------------------------------

    SmitFraudFix v2.61

    Scan done at 5:45:55.15, 06/17/2006 Sat
    Run from C:\Documents and Settings\Allan Cheong\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    换换换换换换换换换换换换 C:\


    换换换换换换换换换换换换 C:\WINDOWS


    换换换换换换换换换换换换 C:\WINDOWS\system


    换换换换换换换换换换换换 C:\WINDOWS\Web


    换换换换换换换换换换换换 C:\WINDOWS\system32

    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    换换换换换换换换换换换换 C:\WINDOWS\system32\LogFiles


    换换换换换换换换换换换换 C:\Documents and Settings\Allan Cheong\Application Data


    换换换换换换换换换换换换 Start Menu


    换换换换换换换换换换换换 C:\DOCUME~1\ALLANC~1\FAVORI~1


    换换换换换换换换换换换换 Desktop


    换换换换换换换换换换换换 C:\Program Files


    换换换换换换换换换换换换 Corrupted keys


    换换换换换换换换换换换换 Desktop Components



    换换换换换换换换换换换换 Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"

    [HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
    @="C:\WINDOWS\system32\yvvdj.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
    @="C:\WINDOWS\system32\yvvdj.dll"


    换换换换换换换换换换换换 Scanning wininet.dll infection


    换换换换换换换换换换换换 End
     
    allancth, Jun 16, 2006
    #1
  2. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Hi allancth:

    Download a copy of hijackthis from Major geeks:
    http://majorgeeks.com/HijackThis_d3155.html
    Download CCleaner to your desktop from:http://www.ccleaner.com/ccdownload.asp
    this may be needed.Don't run yet or without instructions
    Also Killbox to your desk top from www.bleepingcomputer.com/files/killbox.php
    this also may be needed: Don't run yet or without instructions.

    Unzip to it folder and not a temporary file or you won't be able to use any back ups created.

    Run Hijackthis, scan and save file: Copy the report and post back here so the pros can see whats going on.

    Xeres
     
    Xeres, Jun 16, 2006
    #2
  3. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi. Thanks for replying. This is the HijackThis report.

    -------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 2:34:02 PM, on 6/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\QUT VPN Client\cvpnd.exe
    C:\temp\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\Fоnts\spool32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allan Cheong\Desktop\HijackThis_v1.99.1.exe

    R3 - URLSearchHook: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\AcrobatReader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [foxy] "D:\ProgramFiles\Foxy\Foxy.exe" -tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\ProgramFiles\AcrobatReader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\F§ànts\spool32.exe" -vt ndrv
    O4 - HKCU\..\Run: [Cgve] C:\Documents and Settings\Allan Cheong\My Documents\F§ànts\l§àgonui.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDB144A-7E61-4B78-8BA3-D67CF733D049}: NameServer = 203.12.160.35,203.12.160.36
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\temp\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\temp\ewido anti-malware\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - D:\Developer\MySQL\MySQL.exe (file missing)
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
     
    allancth, Jun 16, 2006
    #3
  4. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    I did a scan and remove with CCleaner.exe and EClea2_0.exe. On top of that, previously I noticed that dcomcfg.exe and atmclk.exe suddenly appears in the running process. So, I entered safe mode and deleted this file manually. I hope this doesn't ruin the process of cleaning my PC. Below is the newest rapport.txt and Hijackthis report. I will not do anything with my PC until I get further instructions. Please help. Thanks.

    ---------------------------------------------------------------------

    SmitFraudFix v2.61

    Scan done at 15:08:16.25, 06/17/2006 Sat
    Run from C:\Documents and Settings\Allan Cheong\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    换换换换换换换换换换换换 C:\


    换换换换换换换换换换换换 C:\WINDOWS


    换换换换换换换换换换换换 C:\WINDOWS\system


    换换换换换换换换换换换换 C:\WINDOWS\Web


    换换换换换换换换换换换换 C:\WINDOWS\system32


    换换换换换换换换换换换换 C:\WINDOWS\system32\LogFiles


    换换换换换换换换换换换换 C:\Documents and Settings\Allan Cheong\Application Data


    换换换换换换换换换换换换 Start Menu


    换换换换换换换换换换换换 C:\DOCUME~1\ALLANC~1\FAVORI~1


    换换换换换换换换换换换换 Desktop


    换换换换换换换换换换换换 C:\Program Files


    换换换换换换换换换换换换 Corrupted keys


    换换换换换换换换换换换换 Desktop Components



    换换换换换换换换换换换换 Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"

    [HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
    @="C:\WINDOWS\system32\yvvdj.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
    @="C:\WINDOWS\system32\yvvdj.dll"


    换换换换换换换换换换换换 Scanning wininet.dll infection


    换换换换换换换换换换换换 End

    ---------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 3:12:57 PM, on 6/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\temp\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\Fоnts\spool32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Temp\ewido anti-malware\SecuritySuite.exe
    C:\WINDOWS\regedit.exe
    C:\temp\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\Documents and Settings\Allan Cheong\Desktop\HijackThis_v1.99.1.exe

    R3 - URLSearchHook: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\AcrobatReader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [foxy] "D:\ProgramFiles\Foxy\Foxy.exe" -tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\ProgramFiles\AcrobatReader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\F§ànts\spool32.exe" -vt ndrv
    O4 - HKCU\..\Run: [Cgve] C:\Documents and Settings\Allan Cheong\My Documents\F§ànts\l§àgonui.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDB144A-7E61-4B78-8BA3-D67CF733D049}: NameServer = 203.12.160.35,203.12.160.36
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\temp\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\temp\ewido anti-malware\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - D:\Developer\MySQL\MySQL.exe (file missing)
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

     
    allancth, Jun 16, 2006
    #4
  5. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    bump!
     
    allancth, Jun 17, 2006
    #5
  6. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Hi Alancth:
    You may find any or all of the following:
    Click Start > Settings > Control Panel > Add/Remove Programs, select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.
    Click Start > Settings > Control Panel > Add/Remove Programs, select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.
    Open Internet Explorer, click Tools > Internet Options, reset your home page (General > Home Page) and search settings (Programs > Reset Web Settings).(Internet Options->General->Start Page) if it has been changed, and search settings (Internet Options->Programs->Reset web settings).
    R3 - URLSearchHook: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    ( this may or may not be legit, depends whats using it and thats not showing up) We can restore this if needed ( amy info Kemisti?, I know your looking :) )

    You have Ewido in a temp folder: I suggest you make sure you are using the latest definitions and install it to your desktop.

    Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
    The Windows Advanced Options Menu appears.
    Ensure that the Safe mode option is selected.
    Press Enter. The computer then begins to start in Safe mode.


    Delete the following files or folders If FOund.

    Open Folder Options in Controlpanel >view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Delete:
    Files:
    C:\WINDOWS\SYSTEM32\wineil32.dll

    run Ewido and save the log.
    boot normal an run HJT scan& save file post back with logs
    Xeres
     
    Xeres, Jun 17, 2006
    #6
  7. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @Xeres: PurityScan also there:

    O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\F§ànts\spool32.exe" -vt ndrv
    O4 - HKCU\..\Run: [Cgve] C:\Documents and Settings\Allan Cheong\My Documents\F§ànts\l§àgonui.exe

    That service is legit :)

    @allancth: Also do this

    Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
    Reboot and delete this folder if found:
    C:\Program Files\PurityScan

    If not listed, download and run this uninstaller:
    http://www.outerinfo.com/OiUninstaller.exe

    http://www.outerinfo.com/howto.html Tutorial for the uninstaller if needed

    Reboot when done and delete this folder if found:
    C:\Program Files\PurityScan

    Delete also this:

    C:\Program Files\MySearch
     
    Last edited: Jun 17, 2006
    -kemisti-, Jun 17, 2006
    #7
  8. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Kemisti:
    Thanks,,,, I appreciate your input. Completely missed those O4's. Maybe getting to old for this. Just trying to help.

    Xeres
     
    Xeres, Jun 17, 2006
    #8
  9. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    @Xeres

    Hello. Thanks for your help. I did as you told. Enter safe mode but I can't seem to find the file wineil32.dll. Then, I restarted my PC and enter normal mode. I did a scan using EWido with the latest update version. Found 8 infected files and removed it. This is the hijackthis.log. I also uinstalled the Search Assistant - MySearch (I do not know since when I installed them. I never use these search bars stuffs, cos I don't trust them).

    ---------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 3:32:20 AM, on 6/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\temp\ewido anti-malware\ewidoctrl.exe
    C:\temp\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allan Cheong\Desktop\HijackThis_v1.99.1.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\AcrobatReader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [foxy] "D:\ProgramFiles\Foxy\Foxy.exe" -tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\ProgramFiles\AcrobatReader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDB144A-7E61-4B78-8BA3-D67CF733D049}: NameServer = 203.12.160.35,203.12.160.36
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\temp\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\temp\ewido anti-malware\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - D:\Developer\MySQL\MySQL.exe (file missing)
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    ---------------------------------------------------------------------

    @-kemisti-

    Thank you. But I did not find anything related to PurityScan =(. However, I still downloaded the uninstaller and ran it anyway. Please advice.
     
    allancth, Jun 17, 2006
    #9
  10. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Alancnth:

    Run a scan with HJT scan only . Place a check mark by:
    O2 - BHO: (no name) - {300D3ED8-FB36-A9BD-4ABD-A9BFDF8AD2C4} - C:\WINDOWS\system32\svy.dll (file missing)
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

    download the avenger from http://swandog46.geekstogo.com/avenger.zip

    by Swandog46 to your Desktop.

    Click on Avenger.zip to open the file
    Extract avenger.exe to your desktop
    Copy all the text below to your Clipboard by highlighting it and pressing (Ctrl+C):

    C:\WINDOWS\SYSTEM32\wineil32.dll

    start The Avenger program by clicking on its icon on your desktop.
    Choose "Input Script Manually".
    Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    Click Done
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.
    The Avenger will automatically do the following:
    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log

    Xeres
     
    Xeres, Jun 17, 2006
    #10
  11. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hello Xeres,

    I have run HijackThis and deleted the two things. However, when I try to run the script manually with Avenger, it said prompted an error "ERROR: selected file does not appear to be a valid script". This is the latest HijackThis report. Please advice, thanks!

    ---------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 5:14:02 PM, on 6/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\temp\ewido anti-malware\ewidoctrl.exe
    C:\temp\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allan Cheong\Desktop\HijackThis_v1.99.1.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\AcrobatReader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [foxy] "D:\ProgramFiles\Foxy\Foxy.exe" -tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\ProgramFiles\AcrobatReader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDB144A-7E61-4B78-8BA3-D67CF733D049}: NameServer = 203.12.160.35,203.12.160.36
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\temp\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\temp\ewido anti-malware\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - D:\Developer\MySQL\MySQL.exe (file missing)
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

     
    allancth, Jun 17, 2006
    #11
  12. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @Xeres: There´s no wineil32.dll, just registry entry:

    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)

    @allancth:

    Fix with HjT:

    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)

    Reboot and send a fresh HjT log.
     
    -kemisti-, Jun 18, 2006
    #12
  13. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hello! Thanks for helping! I have fixed:-

    O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)

    with HijackThis. This is the latest report from HijackThis.

    ---------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 7:16:54 PM, on 6/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5346.0005)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\temp\ewido anti-malware\ewidoctrl.exe
    C:\temp\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Allan Cheong\Desktop\HijackThis_v1.99.1.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\AcrobatReader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "D:\ProgramFiles\AcrobatReader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Developer\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDB144A-7E61-4B78-8BA3-D67CF733D049}: NameServer = 203.12.160.35,203.12.160.36
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\temp\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\temp\ewido anti-malware\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - D:\Developer\MySQL\MySQL.exe (file missing)
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

     
    allancth, Jun 18, 2006
    #13
  14. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @allancth: Looks good :) Still problems?
     
    -kemisti-, Jun 18, 2006
    #14
  15. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Thanks a lot!! Man you guys are great. There are no problems now. Some questions here though. Can I now delete/uninstall all the files previously I have downloaded such as EWido, Avenger, HijackThis, SmitfraudFix, AVG Free Edition and Ad-aware scan?

    And, I am just curious how do you know which file and which registry key is the bad or infected one?
     
    allancth, Jun 18, 2006
    #15
  16. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Feel free to delete avenger and smitfraudfix, yes :)

    I recommend you to keep AVG, ad-aware and ewido. You'll need an antivirus and AVG is good for that purpose.

    HijackThis deletion is optional.

    You'll learn when you see lot of HijackThis logs ;)
     
    -kemisti-, Jun 18, 2006
    #16

Share This Page