plz help me, a notification keeps poping up saying that im infected with virus. i try to clean but still keeps poping up. i read some threads about this. so i got my log rite here. plz help me Logfile of HijackThis v1.99.1 Scan saved at 1:51:18 PM, on 3/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\WINDOWS\Explorer.EXE C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe C:\Program Files\?icrosoft\??rvices.exe C:\Program Files\Abyss Web Server\abyssws.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\Abyss Web Server\abyssws.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\aim\aim.exe C:\Program Files\BitTorrent\btdownloadgui.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\BitTorrent\btdownloadgui.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local> O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing) O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32 \msjava.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax- download.yazzle.net/YazzleActiveX.cab?refid=1123 O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: winszd32 - C:\WINDOWS\SYSTEM32\winszd32.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles% \WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
First off, uninstall that toolbar. Second, boot to safe mode, and claean out all temp files and then run your virsu scan of choice and then your spyware scan of choice.
i uninstall the toolbar. now the safe mode part, im not really sure on how to to that and i dun wanna mess anything up. can u plz tell me in steps. thnx a lot
Restart the PC, and when it just restarts, start hitting F8 and then when the boot screen loads, select, "safe mode"
hmm after i did that, i restarted comp and it booted normaly. the notification stills pop up and it install Spyfalcon automaticaly. i uninstall it but i keeps installing again. plz help heres another log. i think it changed a bit after ur step. Logfile of HijackThis v1.99.1 Scan saved at 6:21:32 PM, on 3/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local> O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing) O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: winszd32 - winszd32.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe thnx
@DVDBack23: This one needs some special treatment... @vpeternal: Hi,you got more infections than just SpyFalcon... =) Cleaning instructions: 1.Update your Ewido, Do NOT run a scan yet. 2.Download smitrem to your desktop > http://noahdfear.geekstogo.com/click counter/click.php?id=1 Doubleclick it and press Start, smitrem folder appears to the desktop. 3.Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. 4.Download Protocolfix to your desktop http://downloads.subratam.org/Fix-Protocol-zones-ranges.reg When downloaded, doubleclick it and press yes and ok. 5.Download FixSF.reg to your desktop -> http://www.bleepingcomputer.com/files/reg/FixSF.reg Doubleclick it and answer yes to any questions. 6.Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode) 7.Go to Control Panel -> Add or remove programs -> Remove if found: SpyFalcon (IF you are asked to restart your computer, DO NOT restart. ) 8.Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing) O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O20 - Winlogon Notify: winszd32 - winszd32.dll (file missing) 9.Go to the smitrem folder on your desktop, run RunThis.bat file and follow instructions. 10.Run ATF Cleaner -> Check select all -> Press Empty selected Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. 11.Delete these files if found: C:\Program Files\?icrosoft\-->??rvices.exe C:\WINDOWS\System32\-->msvcrt.exe C:\WINDOWS\System32\-->oakley.exe C:\Windows\System32\-->dxmpp.dll C:\WINDOWS\system32\-->ginuerep.dll 12.Delete these folders if found: C:\Program Files\-->TBONAS C:\Program Files\-->SpyFalcon 13.Use the Windows "search" function (make sure that you search from hidden files and folders and from system folders too) Search for this and delete if found: winszd32.dll 14.Empty the Recycle Bin 15.Make your hidden files invisible again: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Do not show hidden files and folders. 16.Scan your computer with Ewido, let it remove what it find and save report. 17.Restart you computer normally. 18.Post the following logs to here and we'll see if you are clean. -> new HijackThis log, -> Ewido's log and log from -> C:\smitfiles.txt
wow help from the pros =). thnx, i just got home from skoo and im happy to read this, i will do this soon. again thnx a lot guys.
here are my new log Logfile of HijackThis v1.99.1 Scan saved at 8:17:32 PM, on 3/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe C:\Program Files\Abyss Web Server\abyssws.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\Abyss Web Server\abyssws.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local> O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:04:54 PM, 3/27/2006 + Report-Checksum: 1C1487A6 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} -> Adware.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup :mozilla.13:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.14:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.15:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.16:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.17:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.23:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.24:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.25:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup :mozilla.26:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup :mozilla.43:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.44:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.45:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.46:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.47:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.48:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup :mozilla.53:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.54:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.55:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.57:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.58:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.59:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.60:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.61:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.62:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.63:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.64:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.65:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup :mozilla.70:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.71:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.93:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.94:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.95:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.96:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.97:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.98:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.99:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.106:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup :mozilla.107:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup :mozilla.112:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup :mozilla.113:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup :mozilla.114:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup :mozilla.115:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup :mozilla.116:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup :mozilla.117:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup :mozilla.118:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup :mozilla.119:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup :mozilla.120:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup :mozilla.121:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup :mozilla.122:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup :mozilla.123:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.124:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.125:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.126:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.127:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup :mozilla.128:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup :mozilla.129:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup :mozilla.130:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup :mozilla.131:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup :mozilla.132:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.133:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.134:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.135:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.136:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.137:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup :mozilla.138:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup :mozilla.139:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup :mozilla.140:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup :mozilla.167:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.171:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.172:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.174:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.175:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.176:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.177:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.178:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup :mozilla.179:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.180:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.181:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.182:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup :mozilla.189:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.190:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.191:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.192:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.193:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.209:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup :mozilla.216:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup :mozilla.217:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup C:\Documents and Settings\Loc Phan\Cookies\loc phan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\HJT\backups\backup-20060327-183744-323.dll -> Adware.MediaTickets : Cleaned with backup C:\Program Files\etea\rpen.exe -> Downloader.PurityScan.bu : Cleaned with backup C:\WINDOWS\dinst.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe -> Downloader.Small.ayl : Cleaned with backup C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\system32\dbrghn.exe -> Trojan.Agent.ay : Cleaned with backup C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.jd : Cleaned with backup C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\system32\interf.tlb -> Downloader.Zlob.jh : Cleaned with backup C:\WINDOWS\system32\oins.exe -> Dropper.PurityScan.ad : Cleaned with backup C:\WINDOWS\system32\sysupd1003.exe -> Hijacker.Small.an : Cleaned with backup C:\WINDOWS\ucjetwkqok.exe -> Adware.Bestofer : Cleaned with backup C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup ::Report End
forgot this. smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Mon 03/27/2006 The current time is: 18:39:24.18 Running from C:\Documents and Settings\Loc Phan\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url Security Troubleshooting.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ 1024 dir mssearchnet.exe ncompat.tlb nvctrl.exe logfiles ~~~ Icons in System32 ~~~ ot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 824 'explorer.exe' Killing PID 824 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN!
Ok, not clean yet. Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode) Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked) O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. Delete these files: C:\WINDOWS\System32\-->oakley.exe C:\WINDOWS\System32\-->msvcrt.exe C:\Program Files\?icrosoft\-->??rvices.exe (Propably C:\Program Files\Microsoft\services.exe) C:\Windows\System32\-->dxmpp.dll C:\WINDOWS\system32\-->ginuerep.dll Empty the Recycle Bin Make your hidden files invisible again: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Do not show hidden files and folders. Scan your computer again with Ewido, let it remove what it find and save report. Restart you computer normally. Post the Ewido's log and a new HijackThis log.
hmm i looked for them on my last scan but didnt see it. i mite have skiped it somehow. but i'll do it again to make sure. thnx a lot for the help JaPK
Ok, but when you have done that, post a new the Ewido's log and a new HijackThis log. If they won't go away, we'll use a stronger tool...
hmm i been try to fins those files but i cant seem to find it. i found some of those files but not .exe but .dll
It is okay if you can't find those files. There are some system files that may look the same as those files, but leave those alone. Scan your computer again with Ewido, let it remove what it finds and save the report. Post the Ewido's log and a new HijackThis log to here and we'll see if should use a stronger tool.
hi, srry i been kind of busy. but heres the hijacklog i didnt do the ewido yet. can u chek if there anything bad from the hijacklog except for those files i cudnt find. Logfile of HijackThis v1.99.1 Scan saved at 5:39:58 PM, on 4/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local> O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe thnx a lot
Ok, lets get you cleaned. Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip Unzip it to your desktop. Fix these entries with HijackThis: O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe Run Killbox.exe -> Choose Delete on Reboot -> Click All Files option. Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy) C:\WINDOWS\System32\oakley.exe C:\WINDOWS\System32\msvcrt.exe C:\Program Files\Microsoft\services.exe Then go back to Killbox -> go to File -> choose Paste from Clipboard -> Click the red-white Delete File option. -> Click Yes to Delete on Reboot question -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!) -> Restart your computer if Killbox won't do it. (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) Update and run a scan with Ewido, clean what it finds, save the log. Post a new HijackThis log and Ewido's log to here and we'll see if you're clean.
