Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
hi im new here so hi to everyone
so it all started when i installed limeware i got off of araditrack
after i restart my cpu i have under a minute before the worm turns on
in stops me from conecting to the net.
the worm i think is called w32/denis.worm i looked up low.com and thats what i found mcafee says it can remove it but i dont have mcafee i have norton pro 03
also when the low.exe starts i also get a pop up that trys to get me to download internet explorer add-in sitebar
but i say no to it.
i also get a small black srcreen that looks like dos window
when i open c drive the worm sticks these under programs files and windows
one is called mmxateam then there is one called low and another called xe,is,sw,zxvcc73x and last but least tb and that one opens the sitebar thing

im so sad havnt played dod.s in days if you can help that would be great thanks in advance.
here is my hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 7:56:17 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\winlogin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.file-webber.de
R3 - Default URLSearchHook is missing
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
O1 - Hosts: <HTML><HEAD>
O1 - Hosts: <TITLE>403 Forbidden</TITLE>
O1 - Hosts: </HEAD><BODY>
O1 - Hosts: <H1>Forbidden</H1>
O1 - Hosts: You don't have permission to access /stat.dat
O1 - Hosts: on this server.<P>
O1 - Hosts: <HR>
O1 - Hosts: <ADDRESS>Apache/1.3.31 Server at www.meet2k.com Port 80</ADDRESS>
O1 - Hosts: </BODY></HTML>
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqpp.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Winlogun] C:\WINDOWS\system32\winlogin.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SIDEBAR] C:\WINDOWS\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm (HKCU)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe (HKCU)
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe (HKCU)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm (HKCU)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\SYSTEM32\ssqpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

:4-dontkno
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Desktop SideBar / DameK UltraBlue

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames listed below & then right-click & select Copy
  • C:\WINDOWS\system32\winlogin.exe
    C:\WINDOWS\lsass.exe
    C:\WINDOWS\system32\ssqpp.dll
    C:\WINDOWS\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Local Security Authority Subsystem Service (lsass)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button
Answer No when prompted to reboot


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.file-webber.de
R3 - Default URLSearchHook is missing
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
O1 - Hosts: <HTML><HEAD>
O1 - Hosts: <TITLE>403 Forbidden</TITLE>
O1 - Hosts: </HEAD><BODY>
O1 - Hosts: <H1>Forbidden</H1>
O1 - Hosts: You don't have permission to access /stat.dat
O1 - Hosts: on this server.<P>
O1 - Hosts: <HR>
O1 - Hosts: <ADDRESS>Apache/1.3.31 Server at www.meet2k.com Port 80</ADDRESS>
O1 - Hosts: </BODY></HTML>
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqpp.dll
O4 - HKLM\..\Run: [Winlogun] C:\WINDOWS\system32\winlogin.exe
O4 - HKCU\..\Run: [SIDEBAR] C:\WINDOWS\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\SYSTEM32\ssqpp.dll
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
    [*] Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
4 Posts
Discussion Starter #3
hi again *big smile*

:smile:eek:k so things are alot better. just about everything went as you said
a few hijackthis things wernt there but i got most of them you see what i meen
in my new jog there is one thing wierd there is a bunch of new stuff in hijackthis
kinda looks like url's not sure but iv never got or gone to them i did know one of them icq but iv never downloaded it on this install of xp
one more thing you said the last thing i had to do was to a second scan with t/micro scann to get a log well i did it agian but it didnt give me a log im not sure want i did wrong but the second scan did show nothing so it got rid of it on the first got rid of a few things i didnt know i had but it also messed up my kazza lite owell ill just install it again
oya one of the virus scans found some trojans and didnt remove them so they are still there i still have that low one ok im going to give my logs now
thank you very much for your help im so glad i can get on the net now
o and thanks for replying to me so fast iv been on other tech site and gave up cuz no one replys man im tired its 730 am bin up all night doing this ok ok here are the logs


Logfile of HijackThis v1.99.1
Scan saved at 7:14:45 AM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\HijackThis.exe

O1 - Hosts: 195.158.172.121 amazon.at
O1 - Hosts: 195.158.172.121 www.amazon.at
O1 - Hosts: 195.158.172.121 www.all-inkl.de
O1 - Hosts: 195.158.172.121 all-inkl.de
O1 - Hosts: 195.158.172.121 www.domainfactory.de
O1 - Hosts: 195.158.172.121 domainfactory.de
O1 - Hosts: 195.158.172.121 www.evanzo.de
O1 - Hosts: 195.158.172.121 evanzo.de
O1 - Hosts: 195.158.172.121 www.united-domains.de
O1 - Hosts: 195.158.172.121 united-domains.de
O1 - Hosts: 195.158.172.121 www.sedo.de
O1 - Hosts: 195.158.172.121 sedo.de
O1 - Hosts: 195.158.172.121 www.sedo.com
O1 - Hosts: 195.158.172.121 sedo.com
O1 - Hosts: 195.158.172.121 www.domains.de
O1 - Hosts: 195.158.172.121 domains.de
O1 - Hosts: 195.158.172.121 sedo.fr
O1 - Hosts: 195.158.172.121 sedo.it
O1 - Hosts: 195.158.172.121 sedo.se
O1 - Hosts: 195.158.172.121 sedo.dk
O1 - Hosts: 195.158.172.121 www.sedo.fr
O1 - Hosts: 195.158.172.121 www.sedo.it
O1 - Hosts: 195.158.172.121 www.sedo.se
O1 - Hosts: 195.158.172.121 www.sedo.dk
O1 - Hosts: 195.158.172.121 e-hausaufgaben.de
O1 - Hosts: 195.158.172.121 hausaufgaben.de
O1 - Hosts: 195.158.172.121 www.e-hausaufgaben.de
O1 - Hosts: 195.158.172.121 www.hausaufgaben.de
O1 - Hosts: 195.158.172.121 young.de
O1 - Hosts: 195.158.172.121 schoolunity.de
O1 - Hosts: 195.158.172.121 schoolwork.de
O1 - Hosts: 195.158.172.121 hausarbeiten24.com
O1 - Hosts: 195.158.172.121 hausarbeiten.de
O1 - Hosts: 195.158.172.121 www.young.de
O1 - Hosts: 195.158.172.121 www.schoolunity.de
O1 - Hosts: 195.158.172.121 www.schoolwork.de
O1 - Hosts: 195.158.172.121 www.hausarbeiten24.com
O1 - Hosts: 195.158.172.121 www.hausarbeiten.de
O1 - Hosts: 195.158.172.121 schulstadt.de
O1 - Hosts: 195.158.172.121 www.schulstadt.de
O1 - Hosts: 195.158.172.121 www.probenclub.de
O1 - Hosts: 195.158.172.121 www.couponmountain.de
O1 - Hosts: 195.158.172.121 www.warenproben.ag
O1 - Hosts: 195.158.172.121 www.gratisproben24.net
O1 - Hosts: 195.158.172.121 probenclub.de
O1 - Hosts: 195.158.172.121 couponmountain.de
O1 - Hosts: 195.158.172.121 warenproben.ag
O1 - Hosts: 195.158.172.121 gratisproben24.net
O1 - Hosts: 195.158.172.121 probendino.de
O1 - Hosts: 195.158.172.121 www.probendino.de
O1 - Hosts: 195.158.172.121 www.proben.de
O1 - Hosts: 195.158.172.121 www.produktproben.de
O1 - Hosts: 195.158.172.121 proben.de
O1 - Hosts: 195.158.172.121 produktproben.de
O1 - Hosts: 195.158.172.121 de.supereva.com
O1 - Hosts: 195.158.172.121 www.de.supereva.com
O1 - Hosts: 195.158.172.121 www.knuddels.de
O1 - Hosts: 195.158.172.121 www.flirt-fever.de
O1 - Hosts: 195.158.172.121 www.neu.de
O1 - Hosts: 195.158.172.121 neu.de
O1 - Hosts: 195.158.172.121 chat.lycos.de
O1 - Hosts: 195.158.172.121 www.spinchat.de
O1 - Hosts: 195.158.172.121 www.chat.de
O1 - Hosts: 195.158.172.121 www.chatcity.de
O1 - Hosts: 195.158.172.121 www.webchat.de
O1 - Hosts: 195.158.172.121 chat.yahoo.de
O1 - Hosts: 195.158.172.121 www.friendscout24.de
O1 - Hosts: 195.158.172.121 www.ilove.de
O1 - Hosts: 195.158.172.121 www.traumpartnerchat.de
O1 - Hosts: 195.158.172.121 knuddels.de
O1 - Hosts: 195.158.172.121 flirt-fever.de
O1 - Hosts: 195.158.172.121 chat.lycos.de
O1 - Hosts: 195.158.172.121 spinchat.de
O1 - Hosts: 195.158.172.121 chat.de
O1 - Hosts: 195.158.172.121 chatcity.de
O1 - Hosts: 195.158.172.121 webchat.de
O1 - Hosts: 195.158.172.121 chat.yahoo.de
O1 - Hosts: 195.158.172.121 friendscout24.de
O1 - Hosts: 195.158.172.121 ilove.de
O1 - Hosts: 195.158.172.121 traumpartnerchat.de
O1 - Hosts: 195.158.172.121 www.icq.de
O1 - Hosts: 195.158.172.121 icq.de
O1 - Hosts: 195.158.172.121 icq.com
O1 - Hosts: 195.158.172.121 www.icq.com
O1 - Hosts: 195.158.172.121 mirc.com
O1 - Hosts: 195.158.172.121 www.mirc.com
O1 - Hosts: 195.158.172.121 mirc.de
O1 - Hosts: 195.158.172.121 www.mirc.de
O1 - Hosts: 195.158.172.121 xchat.org
O1 - Hosts: 195.158.172.121 www.xchat.org
O1 - Hosts: 195.158.172.121 boldchat.com
O1 - Hosts: 195.158.172.121 www.boldchat.com
O1 - Hosts: 195.158.172.121 liveperson.com
O1 - Hosts: 195.158.172.121 www.liveperson.com
O1 - Hosts: 195.158.172.121 www.bravenet.com
O1 - Hosts: 195.158.172.121 bravenet.com
O1 - Hosts: 195.158.172.121 www.adultfriendfinder.com
O1 - Hosts: 195.158.172.121 adultfriendfinder.com
O1 - Hosts: 195.158.172.121 www.friendster.com
O1 - Hosts: 195.158.172.121 friendster.com
O1 - Hosts: 195.158.172.121 www.monster.com
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm (HKCU)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe (HKCU)
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe (HKCU)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ssqpp - ssqpp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

//////////////////////////////////////////////////////////////////////////////////////


Incident Status Location

Virus:Trj/Hooker.M Disinfected Operating system
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:adware/ist.istbar No disinfected Windows Registry
Virus:Trj/Hooker.M Disinfected C:\Program Files\backups\backup-20051019-034146-665.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Kazaa Lite\TopSearch.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE
Adware:Adware/ActivShopper No disinfected C:\Program Files\themexp\Themexp.org File\TXPSHOPPER.exe
Virus:Trj/Hooker.M Disinfected C:\RECYCLER\NPROTECT\00162973.exe
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00162977.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00162977.exe[tb.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00162985.exe
Virus:Trj/Hooker.M Disinfected C:\RECYCLER\NPROTECT\00163214.exe
Virus:Trj/Hooker.M Disinfected C:\RECYCLER\NPROTECT\00164564.exe
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00164568.exe
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00164570.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00164570.exe[tb.exe]
Virus:Trj/Hooker.M Disinfected C:\RECYCLER\NPROTECT\00165005.exe
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00165019.exe
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00165022.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00165022.exe[tb.exe]
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_90.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\hlwin.dll
Virus:Trj/Hooker.M Disinfected C:\WINDOWS\system32\jkhhg.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstallHL.exe
Virus:Trj/Hooker.M Disinfected C:\WINDOWS\system32\ssqpp.dll
Virus:Bck/Nemus.A Disinfected C:\WINDOWS\system32\winlogin.exe


////////////////////////////////////////////////////////////////////////////////////

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, October 19, 2005 06:29:49
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/10/2005
Kaspersky Anti-Virus database records: 145662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47796
Number of viruses found: 3
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 2270 sec

Infected Object Name - Virus Name
C:\RECYCLER\NPROTECT\00162977.exe/tb.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00162977.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00162985.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00164565.exe Infected: Trojan.Win32.LowZones.c
C:\RECYCLER\NPROTECT\00164568.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00164569.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\RECYCLER\NPROTECT\00164570.exe/low.exe Infected: Trojan.Win32.LowZones.c
C:\RECYCLER\NPROTECT\00164570.exe/xe.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\RECYCLER\NPROTECT\00164570.exe/tb.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00164570.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00165019.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00165021.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\RECYCLER\NPROTECT\00165022.exe/low.exe Infected: Trojan.Win32.LowZones.c
C:\RECYCLER\NPROTECT\00165022.exe/xe.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\RECYCLER\NPROTECT\00165022.exe/tb.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00165022.exe Infected: Net-Worm.Win32.Mytob.bi
C:\RECYCLER\NPROTECT\00165024.exe Infected: Trojan.Win32.LowZones.c

Scan process completed.


there. again thank you
ill check again here for your results around 4pm
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Kazaa - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I’ll leave the decision to you.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose [Yes] at the Warning prompt.
  • Expand the [Tools] menu.
  • Click [Resident].
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • In the File menu click [Exit] to exit Spybot Search & Destroy.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Fix these entries iwith HijackThis:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O20 - Winlogon Notify: ssqpp - ssqpp.dll (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files: (all must be found & deleted)
  • C:\WINDOWS\NDNuninstall6_38.exe
    C:\Program Files\backups\backup-20051019-034146-665.dll
    C:\Program Files\Kazaa Lite\TopSearch.dll
    C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE
    C:\Program Files\themexp\Themexp.org File\TXPSHOPPER.exe
    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\NDNuninstall6_90.exe
    C:\WINDOWS\system32\hlwin.dll
    C:\WINDOWS\system32\jkhhg.dll
    C:\WINDOWS\system32\PreUninstallHL.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

EMPTY THE NORTON PROTECTED RECYCLE BIN

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Reboot to Normal Mode

Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.


Also download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host


Do another Panda scan & post the resultant report along with a new HJT log.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #5
hi
ok so i did as you said there was few things that i could not remove
ie some windows dll files that you told me to remove and a programs file

i also didnt find all the hijackthis files that you ask to delete

here is the panda scan and a hijackthis log
thanks again panda scan still says i have some adaware iv done both spybot and adaware scans they came up clean .


Incident Status Location

Spyware:spyware/media-motor No disinfected Windows Registry
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00162977.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00162977.exe[tb.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00162985.exe
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00164568.exe
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00164570.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00164570.exe[tb.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00165019.exe
Virus:Trj/Hooker.M No disinfected C:\RECYCLER\NPROTECT\00165022.exe[is.exe]
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\NPROTECT\00165022.exe[tb.exe]
////////////////////////////////////////////////////////////////////////////

of HijackThis v1.99.1
Scan saved at 10:19:12 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm (HKCU)
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe (HKCU)
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe (HKCU)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

thanks let me know what you think.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You're basically clean.

Panda only managed to find files that are in your Norton Recycle bin. You should empty it.


You HJT log is still showing some stubborn entries. Try fixing them again..

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)


After you have done so, do a re-scan with HJT to verify that they're gone. Let me know if they're gone. If not, I'll have to give you a Registry fix to remove them.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #7
thank you so much

hi again well its runing fine so thanks
im able to play my games now
i did the hijackthis fix and it got rin of the entrys you said to remove
good job my friend keep up the good work know this
you have givne me the most help out of all the teck forums iv gone to
so grats you win a golden token
id give $ but im a poor man on welfare but the day i get back on my feet ill donate cuz this site is worth it
till we meet again *grins i hope that dosnt come soon lol * later
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Here are some tips for you to keep yourself protected:


  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.


Please respond to this thread one more time so we can mark this thread as resolved.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top