1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cowabanga.exe?

Discussion in 'Windows - Virus and spyware problems' started by dikitty, Jun 24, 2006.

  1. dikitty

    dikitty Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    I found this random file in my program files not two hours ago. I'm pretty sure it's malicious. Ran the HJT scan. Here it is:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:32:09 AM, on 6/24/2006
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINNT\System32\RUNDLL32.EXE
    C:\WINNT\System32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\System32\SMBOLS~1\iexplore.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\PROGRA~1\YSTEM~1\WNLOGO~1.EXE
    C:\HJT\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Orac] "C:\WINNT\System32\SMBOLS~1\iexplore.exe" -vt yazr
    O4 - HKCU\..\Run: [Mzgg] C:\Program Files\?ystem\w?nlogon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O15 - Trusted Zone: *.moove.com
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/unskin/gf.cab
    O20 - AppInit_DLLs: NVDESK32.DLL C:\WINNT\System32\chkdsk.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

    I've been running online scanners all night, and nothing seems to have picked it up. Should I just remove it using the add/remove program option? Thanks for the help.
     
  2. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Hi Dikitty:
    Please download a copy of Smitfraudfix to your desktop from:http://siri.geekstogo.com/SmitfraudFix.zip unzip and save to a new folder on your destop.

    Make a copy of these instructions so you have them handy as the next steps need to be done in safe mode with IE closed.

    Make sure your PC is configured to show hidden files
    How to Show Hidden Files
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html


    Click Start.

    Open My Computer.

    Select the Tools menu and click Folder Options.

    Select the View Tab.

    Under the Hidden files and folders heading select Show hidden files and folders.

    Uncheck the Hide protected operating system files (recommended) option.

    Click Yes to confirm.

    Click OK.


    Reboot your PC into SAFE MODE

    How to start the computer in Safe mode
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Open HijackThis and choose *scan only*

    Run HJT in scan mode and place a check mark to each of the following

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [Orac] "C:\WINNT\System32\SMBOLS~1\iexplore.exe" -vt yazr
    O4 - HKCU\..\Run: [Mzgg] C:\Program Files\?ystem\w?nlogon.exe

    Delete the following files and/or folders:

    C:\PROGRAM FILES\STEM... (folder) Folder name is longer but begins with those letters and may contain spaces.

    C:\Program Files\Common Files\?ymbols (folder) That question mark in the name is a *wild card character* and may look like an alphabet letter

    If you are not sure, make a note of folder found with names similar to what you see and let me know what you found.

    Next while still in safe mode open the smitfraudfix folder and run the program with option 1. It will save a file to C: Rapport.txt

    Reboot in normal mode. Run HJT scan & save the log file. Post the smitfrad lrapport and the new HJt log back here.

    Xeres
     
  3. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @Xeres:This one is legit:

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    And these are purityscan ;)

    O4 - HKCU\..\Run: [Orac] "C:\WINNT\System32\SMBOLS~1\iexplore.exe" -vt yazr
    O4 - HKCU\..\Run: [Mzgg] C:\Program Files\?ystem\w?nlogon.exe

    These need to be fixed:

    O15 - Trusted Zone: *.moove.com
    O20 - AppInit_DLLs: NVDESK32.DLL C:\WINNT\System32\chkdsk.dll

    And this must be deleted(purityscan related):

    C:\WINNT\System32\chkdsk.dll

    No need for smitfraudfix, no signs in log.

    @dikitty:

    Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
    Reboot and delete this folder if found:
    C:\Program Files\PurityScan

    If not listed, download and run this uninstaller:
    http://www.outerinfo.com/OiUninstaller.exe

    http://www.outerinfo.com/howto.html
    Tutorial for the uninstaller if needed

    Reboot when done and delete this folder if found:
    C:\Program Files\PurityScan

    Fix with HjT:


    R3 - Default URLSearchHook is missing
    O15 - Trusted Zone: *.moove.com
    O20 - AppInit_DLLs: NVDESK32.DLL C:\WINNT\System32\chkdsk.dll


    Download the http://www.downloads.subratam.org/KillBox.zip
    Killbox.
    Unzip it to the desktop

    Double-click Killbox.exe to run it.

    Select "Delete on Reboot".
    Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
    C:\WINNT\System32\chkdsk.dll
    Put a mark next to "Delete on Reboot"
    Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
    If your computer does not restart automatically, please restart it manually.

    Send a fresh HjT log.
     
    Last edited: Jun 24, 2006
  4. dikitty

    dikitty Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Wee, followed the instructions you gave, kemisti (no offense to Xeres).

    Here's the new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:54:17 PM, on 6/24/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Orac] "C:\WINNT\System32\SMBOLS~1\iexplore.exe" -vt yazr
    O4 - HKCU\..\Run: [Mzgg] C:\Program Files\?ystem\w?nlogon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151152955273
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/unskin/gf.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

    Seems all clear? Certainly hope so. Thanks so much for you guys' help. :)
     
  5. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Looks pretty good :)

    Fix these:

    O4 - HKCU\..\Run: [Orac] "C:\WINNT\System32\SMBOLS~1\iexplore.exe" -vt yazr
    O4 - HKCU\..\Run: [Mzgg] C:\Program Files\?ystem\w?nlogon.exe


    Reboot.

    Please download and install http://www.ewido.net/en/product/ ewido anti-spyware tool

    [*]]Close all other Applications] Select language click Ok
    [*]Click I Agree
    [*]Click next
    [*]Click Install
    [*]Click Finish
    [*]Wait Ewido will open main screen automatically.
    [*]Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
    [*]]This in very important to get updates
    [*]When updating has finished. Close Ewido.

    If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
    • Next, please reboot your computer in Safe Mode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
    • Select the first option, to run Windows in Safe Mode hit enter.
    • For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml

      You MUST manage to get into Safe Mode for the fix to work.

      Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    • Open Ewido
    • Click on scanner top of Ewido sceen
    • Click on Settings
    • Under How to Act click on Recommended Action choose Quarantine
    • Under How to scan all boxes should be selected
    • Under Possibly unwanted software all boxes should be selected
    • On right side under Reports: click on Automatically generate report after every scan.
    • Under What to scan select scan every file
    • Click On scan Tab
    • Click on Complete system scan
    • Let the program scan the machine It can take awhile give it time.
    • When scan has finished At bottom of screen click Apply all Actions
    • Click Save report
    • Click Save Report as (Save as window's screen should pop up.)
    • Click desktop
    • Click Save
    • Exit ewido
      Reboot back to normal mode

      Send a fresh HjT log and ewido report.
     
  6. dikitty

    dikitty Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Uhm, I tried to boot up ewido in Safe Mode and... it wouldn't work. Unhappy kitty.
     
  7. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Ewido didn't work in safe mode? Try running it in normal mode then.
     
  8. dikitty

    dikitty Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Weee all right.

    Here is the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:38:15 AM, on 6/25/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151152955273
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/unskin/gf.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

    And the ewido log:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 3:36:03 AM 6/25/2006

    + Scan result:



    C:\WINNT\system32\sуmbols\iexplore.exe -> Adware.ClickSpring : No action taken.
    C:\!KillBox\chkdsk.dll -> Adware.PurityScan : No action taken.
    HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : No action taken.
    C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Tesseract\Cookies\tesseract@cnn.122.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@z1.adserver[1].txt -> TrackingCookie.Adserver : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@www.burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
    C:\Documents and Settings\Tesseract\Cookies\tesseract@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@com[1].txt -> TrackingCookie.Com : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@media.fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@hypertracker[1].txt -> TrackingCookie.Hypertracker : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@ilead.itrack[1].txt -> TrackingCookie.Itrack : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@specificpop[1].txt -> TrackingCookie.Specificpop : No action taken.
    C:\Documents and Settings\Administrator\Cookies\administrator@starware[2].txt -> TrackingCookie.Starware : No action taken.
    C:\Documents and Settings\Tesseract\Cookies\tesseract@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
    C:\Documents and Settings\Tesseract\Cookies\tesseract@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
    C:\Documents and Settings\Dionna\Cookies\dionna@zedo[2].txt -> TrackingCookie.Zedo : No action taken.


    ::Report end

     
  9. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    You'll have to rescan with ewido :)
    "No action taken" for all -> nothing removed. Make sure that you let ewido remove everything it finds.
    In other words, go to scanner -> settings
    How to act? -> recommended actions -> select delete
    Then re-scan using instructions I already gave you.
    Send a fresh HjT log.
     
  10. anii

    anii Member

    Joined:
    Jun 27, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    is this still thread still alive? because i just got this thing today >< i googled it and it got me here, i downloaded the hjT so i'll run it and copy the log on here, if this is still alive >< ...
     
    Last edited: Jun 28, 2006
  11. anii

    anii Member

    Joined:
    Jun 27, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    edit: nvm, spyware doctor cleanned it =\
     
    Last edited: Jun 29, 2006

Share This Page