Tech Support banner

Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
30 Posts
Discussion Starter #1
Here is my log file...i have one of those search bars and im getting a whole bunch of ads all the time now, can anyone help? I've used Ad Aware and Spybot, but there still seems to be problems...
Logfile of HijackThis v1.99.1
Scan saved at 6:08:19 PM, on 10/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\S2ltYmVybGV5\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\etb\pokapoka76.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Net Nanny\nnsvc.exe
D:\Program Files\Net Nanny\nntray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.go2realsearch.com/sp2.php
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\mv8ml9l11.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\S2ltYmVybGV5\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NNSvc - Net Nanny Software International, Inc. - D:\Program Files\Net Nanny\nnsvc.exe
 

·
Registered
Joined
·
1,036 Posts
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".
 

·
Registered
Joined
·
1,036 Posts
Hello again.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\system32\pmnnk.dll


Reboot your system in Normal Mode.

Follow the instructions outlined here to clear Sun Java's cache.

Please go here, and click Kaspersky Online Scanner button. After it finishes scanning, give us the log of the scan.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, along with Kaspersky Online Scanner's log, so we can make sure your system is clean.
 

·
Registered
Joined
·
30 Posts
Discussion Starter #4
HJT Analyzer Log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:53:02 PM, on 10/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\S2ltYmVybGV5\command.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
D:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINNT\system32\kt68l7ju1.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\S2ltYmVybGV5\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NNSvc - Net Nanny Software International, Inc. - D:\Program Files\Net Nanny\nnsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Registered
Joined
·
30 Posts
Discussion Starter #5
Kaspersky Log

Above was the HJT Analyzer and here is the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, October 26, 2005 04:23:51
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/10/2005
Kaspersky Anti-Virus database records: 146837
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 73885
Number of viruses found: 33
Number of infected objects: 119
Number of suspicious objects: 4
Duration of the scan process: 9793 sec

Infected Object Name - Virus Name
C:\!KillBox\pokapoka76.exe Infected: Trojan.Win32.EliteBar.f
C:\113_dollarrevenue_4_0_3_9.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\113_dollarrevenue_4_0_3_9.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Administrator\ActiveTaskLog.html Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\iTemplate.xls/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/SATTER~1.VBS Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\iTemplate.xls/ThisWorkbook Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\iTemplate.xls Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-31a279e7.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-31a279e7.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 28 Mar 2004 02:52:32 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 28 Mar 2004 02:52:32 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 28 Mar 2004 02:52:32 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 2 Apr 2004 23:35:32 -0500]/UNNAMED/my_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 2 Apr 2004 23:35:32 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FBB0AB04-5D34-4CE0-8B3F-822C16DF34AB}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/25 Apr 2004 16:35 from [email protected]:fake/me.zip/me.doc.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/25 Apr 2004 16:35 from [email protected]:fake/me.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Apr 2004 12:48 from [email protected]:something for you/object.zip/object.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Apr 2004 12:48 from [email protected]:something for you/object.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Apr 2004 23:28 from [email protected]:read it immediately/stuff.htm.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Apr 2004 13:09 from [email protected]:hi/information.com Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/21 Apr 2004 11:50 from [email protected]:something for y/stuff.zip/stuff.exe Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/21 Apr 2004 11:50 from [email protected]:something for y/stuff.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/20 Apr 2004 12:51 from [email protected]:information/message.zip/message.txt.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/20 Apr 2004 12:51 from [email protected]:information/message.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Apr 2004 15:15 from [email protected]:information/dinner.zip/dinner.exe Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Apr 2004 15:15 from [email protected]:information/dinner.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Apr 2004 13:14 from [email protected]:read it immediatel/swimmingpool.com Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Apr 2004 21:23 from [email protected]:unknown/topseller.zip/topseller.htm.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Apr 2004 21:23 from [email protected]:unknown/topseller.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Apr 2004 21:56 from [email protected]:warn/posting.pif Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Apr 2004 15:30 from [email protected]:something f/topseller.zip/topseller.rtf.exe Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Apr 2004 15:30 from [email protected]:something f/topseller.zip Infected: Email-Worm.Win32.NetSky.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/09 Jun 2005 12:29 from [email protected]:[Bulk] Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/09 Jun 2005 12:29 from [email protected]:[Bulk] Mail Delivery /message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/07 Apr 2005 13:27 from [email protected]:[Bulk] Mail Delive.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/07 Apr 2005 13:27 from [email protected]:[Bulk] Mail Delive/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\Administrator\My Documents\honda.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\honda_files\hmatt.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\iTemplate.xls/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/SATTER~1.VBS Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\iTemplate.xls/ThisWorkbook Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\iTemplate.xls Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\aboutmepage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\gamesmusicpage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\index.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\picturespage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\aboutmepage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\gamesmusicpage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\index.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\picturespage.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\report.htm Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\Administrator\StartupLog.html Infected: Email-Worm.VBS.Gedza
C:\Documents and Settings\All Users\Application Data\Grey four face does\Objlive.exe Infected: Trojan.Win32.Krepper.ab
C:\Documents and Settings\Kimberley\Local Settings\Temp\10224228_1800_1804_1912_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\1049442_1180_528_632_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\393332_1704_1492_1056_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\6489084_2147888912_1492_1804_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\7209564_1704_1804_2352_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\917578_1800_1804_2400_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\917578_2147888912_1492_2512_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Kimberley\Local Settings\Temp\GLFE9GLFE9.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Kimberley\Local Settings\Temp\GLFE9GLFE9.EXE Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Kimberley\Local Settings\Temp\jfghjhhfgudk.exe Infected: Trojan-Downloader.Win32.IstBar.lw
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\drsmartload[1].exe Infected: Trojan-Downloader.Win32.VB.ri
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\ga[1].exe Infected: Trojan-Downloader.Win32.Small.ayl
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\istdownload[1].exe Infected: Trojan-Downloader.Win32.IstBar.lw
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\ysbinstall_1003585[1].exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\113_dollarrevenue_4_0_3_9[1].exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\113_dollarrevenue_4_0_3_9[1].exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\1[1] Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\sp2update00[1].exe Infected: Trojan-Downloader.Win32.VB.nh
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\ysb[1].dll Infected: Trojan-Downloader.Win32.IstBar.ms
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\SUHFU027\CP[1].IST2 Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\T24KGD09\msresearch[1].exe Infected: Trojan.Win32.StartPage.acx
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\T24KGD09\optimize[1].exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Documents and Settings\Kimberley\My Documents\b-1cli11.zip/start.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Documents and Settings\Kimberley\My Documents\b-1cli11.zip/start.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Documents and Settings\Kimberley\My Documents\b-1cli11.zip Infected: Trojan-Downloader.Win32.IstBar.is
C:\drsmartload.exe Infected: Trojan-Downloader.Win32.VB.ri
C:\HJT\backups\backup-20050118-190454-155.dll Infected: Trojan-Downloader.Win32.Domcom.a
C:\HJT\backups\backup-20050118-190644-800.dll Infected: Trojan.Win32.P2E.aj
C:\HJT\backups\backup-20050701-091405-678-atom.exe Infected: Trojan-Spy.Win32.KeyLogger.dh
C:\HJT\backups\backup-20050701-091406-996-atom.exe Infected: Trojan-Spy.Win32.KeyLogger.dh
C:\Program Files\TS Webclient\toolbar.exe/stream/data0004 Infected: Trojan.Win32.StartPage.rr
C:\Program Files\TS Webclient\toolbar.exe/stream Infected: Trojan.Win32.StartPage.rr
C:\Program Files\TS Webclient\toolbar.exe Infected: Trojan.Win32.StartPage.rr
C:\Program Files\winupdate\winupdate.exe Infected: Trojan.Win32.Crypt.e
C:\Program Files\winupdates\a.tmp Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\winupdates.exe Infected: Worm.Win32.VB.an
C:\WINDOWS\msresearch.exe Infected: Trojan.Win32.StartPage.acx
C:\WINDOWS\sp2update00.exe Infected: Trojan-Downloader.Win32.VB.nh
C:\WINDOWS\SYSTEM32\dllcache\win32\services.exe Infected: Backdoor.Win32.Iroffer.b
C:\WINNT\drsmartload105a.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\WINNT\ga.exe Infected: Trojan-Downloader.Win32.Small.ayl
C:\WINNT\system32\ntsf.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINNT\system32\p2pnetworking.exe Infected: Backdoor.Win32.Rbot.rc
C:\ysbinstall_1003585.exe Infected: Trojan-Downloader.Win32.IstBar.is
D:\My Documents\Games.xls/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/SATTER~1.VBS Infected: Email-Worm.VBS.Gedza
D:\My Documents\Games.xls/ThisWorkbook Infected: Email-Worm.VBS.Gedza
D:\My Documents\Games.xls Infected: Email-Worm.VBS.Gedza
D:\Program Files\Shareaza\Downloads 3\AbsoluteShield Internet Eraser v3.36 Cracked by LOCKLESS.zip/setup.exe Infected: Trojan.Win32.Crypt.e
D:\Program Files\Shareaza\Downloads 3\AbsoluteShield Internet Eraser v3.36 Cracked by LOCKLESS.zip Infected: Trojan.Win32.Crypt.e
D:\Program Files\Shareaza\Downloads 3\Dungeon Siege 2 KEYGEN.rar/DS2keygen.exe Infected: Backdoor.Win32.Rbot.gen
D:\Program Files\Shareaza\Downloads 3\Dungeon Siege 2 KEYGEN.rar Infected: Backdoor.Win32.Rbot.gen
D:\Program Files\Shareaza\Downloads 3\Dungeon.Siege.2-RELOADED crack.rar/Dungeon.Siege.2-RELOADED crack.exe Infected: Trojan.Win32.Small.fm
D:\Program Files\Shareaza\Downloads 3\Dungeon.Siege.2-RELOADED crack.rar Infected: Trojan.Win32.Small.fm
D:\Program Files\Shareaza\Downloads 3\Dungeon.Siege.2-RELOADED keygen.rar/Dungeon.Siege.2-RELOADED keygen.exe Infected: Trojan.Win32.Small.fm
D:\Program Files\Shareaza\Downloads 3\Dungeon.Siege.2-RELOADED keygen.rar Infected: Trojan.Win32.Small.fm
D:\Program Files\Shareaza\Downloads 3\Guild Wars 50 keys.rar/Guild Wars 50 keys/La 1ère astuce pour tricher avec eurobarre/Eurofake.exe Infected: IM-Worm.Win32.Kelvir.bp
D:\Program Files\Shareaza\Downloads 3\Guild Wars 50 keys.rar Infected: IM-Worm.Win32.Kelvir.bp
D:\Program Files\Shareaza\Downloads 3\Guild Wars-FLT-KEYGEN.exe/csrss.exe Infected: Backdoor.Win32.ServU-based.gen
D:\Program Files\Shareaza\Downloads 3\Guild Wars-FLT-KEYGEN.exe/services.exe Infected: Backdoor.Win32.Iroffer.14b2
D:\Program Files\Shareaza\Downloads 3\Guild Wars-FLT-KEYGEN.exe Infected: Backdoor.Win32.Iroffer.14b2
D:\Program Files\Shareaza\Downloads 3\Jasc Paint Shop Pro 9.0 keygen TESTED.zip/Jasc Paint Shop Pro 9.0 keygen.exe Infected: Trojan-Dropper.Win32.Small.mq
D:\Program Files\Shareaza\Downloads 3\Jasc Paint Shop Pro 9.0 keygen TESTED.zip Infected: Trojan-Dropper.Win32.Small.mq
D:\Program Files\Shareaza\Downloads 3\Total Video Converter v2.1.zip/Setup.exe Infected: Worm.Win32.VB.an
D:\Program Files\Shareaza\Downloads 3\Total Video Converter v2.1.zip Infected: Worm.Win32.VB.an
D:\Program Files\Shareaza\Downloads 3\VSO DivXToDVD 1.99.12.zip/Setup.exe Infected: Worm.Win32.VB.an
D:\Program Files\Shareaza\Downloads 3\VSO DivXToDVD 1.99.12.zip Infected: Worm.Win32.VB.an

Scan process completed.
 

·
Registered
Joined
·
1,036 Posts
Hello again. Your log seems better already, but there's still some job to be done.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Download LQfix and save it to your desktop. Extract the file to your desktop but do not use it yet!

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Download CleanUp! and install it. Do NOT run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Doubleclick LQfix.bat that you saved on your desktop earlier.
A dos window will open and close again, this is normal.

Next run a full scan in Ewido. Save the log from the scan, and post in here on your next reply.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
1) Click "Options..."
2) Move the arrow down to "Custom CleanUp!"
3)Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
4) Uncheck the following:
  • Scan local drives for temporary files
5) Click OK
6) Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot your system in Normal Mode.

After you have rebooted, please perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Now give us a new HijackThis Analyzer log, along with Kaspersky Online Scanner/Panda ActiveScan's log and Ewido's log. so we can make sure your system is clean.
 

·
Registered
Joined
·
30 Posts
Discussion Starter #7
Ewido/HJT Analyzer

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:50:44 PM, 10/27/2005
+ Report-Checksum: C55E95DD

+ Scan result:

HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Ignored
[284] C:\WINNT\system32\stmapi.dll -> Spyware.Look2Me : Ignored
[536] C:\WINNT\system32\stmapi.dll -> Spyware.Look2Me : Ignored
HKLM\SOFTWARE\KMiNT21 -> Spyware.DesktopSpyAgent : Cleaned with backup
C:\!KillBox\pokapoka76.exe -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Administrator\ActiveTaskLog.html -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js -> Worm.Gedza : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mrlbfe56.default\cookies.txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\honda.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\honda_files\hmatt.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\aboutmepage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\gamesmusicpage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\index.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\picturespage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\aboutmepage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\gamesmusicpage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\index.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\My Webs\_vti_cnf\picturespage.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\report.htm -> Worm.Gedza : Cleaned with backup
C:\Documents and Settings\Administrator\StartupLog.html -> Worm.Gedza : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Kimberley\Application Data\Mozilla\Firefox\Profiles\49befg6n.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Kimberley\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kimberley\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Kimberley\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\10224228_1800_1804_1912_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\1049442_1180_528_632_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\393332_1704_1492_1056_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\6489084_2147888912_1492_1804_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\7209564_1704_1804_2352_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\917578_1800_1804_2400_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\917578_2147888912_1492_2512_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temp\jfghjhhfgudk.exe -> TrojanDownloader.IstBar.lw : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\istdownload[1].exe -> TrojanDownloader.IstBar.lw : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\0TOQ7V1Y\ysbinstall_1003585[1].exe -> TrojanDownloader.IstBar.is : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\installer[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\KA797I3Q\SAcc.prod.v1116.20oct2005.exe[1] -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\Kimberley\Local Settings\Temporary Internet Files\Content.IE5\SUHFU027\bridge-c10[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Kimberley\My Documents\b-1cli11.zip/start.exe/run.exe -> TrojanDownloader.IstBar.is : Cleaned with backup
C:\drsmartload.exe -> Spyware.SmartLoad : Cleaned with backup
C:\HJT\backups\backup-20041003-194116-539.dll -> Spyware.MediaTickets : Cleaned with backup
C:\HJT\backups\backup-20050118-190454-155.dll -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\HJT\backups\backup-20050118-190644-800.dll -> Trojan.P2E.aj : Cleaned with backup
C:\HJT\backups\backup-20050119-074556-666.dll -> Spyware.Toolbar.j : Cleaned with backup
C:\HJT\backups\backup-20050119-074557-875.dll -> Spyware.Puper : Cleaned with backup
C:\HJT\backups\backup-20050701-091405-678-atom.exe -> TrojanSpy.KeyLogger.dh : Cleaned with backup
C:\HJT\backups\backup-20050701-091406-996-atom.exe -> TrojanSpy.KeyLogger.dh : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\mte3ndi6odoxng.exe -> Spyware.ISearch : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\MSN Messenger\MsgPlus-221.exe/70000011.exe -> TrojanDownloader.Swizzor.g : Cleaned with backup
C:\Program Files\winupdate\winupdate.exe -> Trojan.Crypt.e : Cleaned with backup
C:\Program Files\winupdates\a.tmp -> Worm.VB.an : Cleaned with backup
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Program Files\winupdates\winupdates.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\msresearch.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\sp2update00.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\WINDOWS\SYSTEM32\dllcache\win32\csrss.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINDOWS\SYSTEM32\dllcache\win32\services.exe -> Backdoor.Iroffer.b : Cleaned with backup
C:\WINNT\Downloaded Program Files\RCX15F.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\drsmartload105a.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINNT\ga.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINNT\S2ltYmVybGV5\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINNT\system32\hitplug.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ntsf.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\p2pnetworking.exe -> Backdoor.Rbot.rc : Cleaned with backup
C:\ysbinstall_1003585.exe -> TrojanDownloader.IstBar.is : Cleaned with backup

::Report End

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:56:38 PM, on 10/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\ati2sgag.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aaawebfinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.aaawebfinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aaawebfinder.com/sp2.php
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\hr2u05f9e.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\S2ltYmVybGV5\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NNSvc - Net Nanny Software International, Inc. - D:\Program Files\Net Nanny\nnsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do NOT run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions. Once updated, close SpySweeper and DISCONNECT from the internet.

Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Command Service (cmdService)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Launch SpySweeper & select Sweep from the left pane & click on the Start button.
Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT

# disconnect your computer from the internet before you begin scanning.
# close all unnecessary programs before starting
# do not use your computer as you scan.

[*] After that's done, select Sweep from the left pane & click on the Start button
[*] Allow Spysweeper to reboot your machine to remove the infected files. [/list]
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.
 

·
Registered
Joined
·
30 Posts
Discussion Starter #10
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:54:34 AM, on 10/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\savedump.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.aaawebfinder.com/sp2.php
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NNSvc - Net Nanny Software International, Inc. - D:\Program Files\Net Nanny\nnsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
====================================================================



********
6:25 AM: | Start of Session, Saturday, October 29, 2005 |
6:25 AM: Spy Sweeper started
6:25 AM: Sweep initiated using definitions version 564
6:25 AM: Starting Memory Sweep
6:26 AM: Found Adware: icannnews
6:26 AM: Detected running threat: C:\WINNT\system32\l4p2le7o1h.dll (ID = 83)
6:27 AM: Detected running threat: C:\WINNT\system32\mol_hp.dll (ID = 83)
6:27 AM: Memory Sweep Complete, Elapsed Time: 00:01:19
6:27 AM: Starting Registry Sweep
6:27 AM: Found System Monitor: netnanny chat monitor
6:27 AM: HKCR\nnsvc.usermanager\ (3 subtraces) (ID = 595233)
6:27 AM: HKCR\nnsvc.usermanager\clsid\ (1 subtraces) (ID = 595235)
6:27 AM: HKCR\nnsvc.usermanager.1\ (3 subtraces) (ID = 595237)
6:27 AM: HKCR\nnsvc.usermanager.1\clsid\ (1 subtraces) (ID = 595239)
6:27 AM: HKCR\appid\nnsvc.exe\ (1 subtraces) (ID = 595241)
6:27 AM: HKLM\software\net nanny software, inc.\ (8 subtraces) (ID = 595246)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\ (7 subtraces) (ID = 595247)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ (6 subtraces) (ID = 595248)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ || processhashstring (ID = 595249)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ || hasappdirectory (ID = 595250)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ || activated (ID = 595251)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ || shell_object_folder (ID = 595253)
6:27 AM: HKLM\software\net nanny software, inc.\net nanny\5\ || path (ID = 595254)
6:27 AM: HKLM\software\nns\ (4 subtraces) (ID = 595256)
6:27 AM: HKLM\software\nns\5\ (3 subtraces) (ID = 595257)
6:27 AM: HKLM\software\nns\5\ || a (ID = 595258)
6:27 AM: HKLM\software\microsoft\windows\currentversion\app paths\nnsvc.exe\ (2 subtraces) (ID = 595276)
6:27 AM: HKLM\software\microsoft\windows\currentversion\app paths\nnsvc.exe\ || path (ID = 595277)
6:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{51945e07-120d-4e78-a368-c4c8d5042d21}\ (4 subtraces) (ID = 612464)
6:27 AM: Found Adware: ist sidefind
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (ID = 141777)
6:27 AM: Found Adware: targetsaver
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\tsl2\ (1 subtraces) (ID = 143616)
6:27 AM: Found Adware: the818search-co.com hijack
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\microsoft\internet explorer\ || searchurl (ID = 751006)
6:27 AM: Found Adware: elitebar aaawebfinder.com hijack
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\microsoft\internet explorer\main\ || search page (ID = 835753)
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\microsoft\internet explorer\main\ || search bar (ID = 835754)
6:27 AM: HKU\S-1-5-21-1202660629-1580818891-1343024091-1000\software\microsoft\internet explorer\search\ || searchassistant (ID = 835755)
6:27 AM: Registry Sweep Complete, Elapsed Time:00:00:21
6:27 AM: Starting Cookie Sweep
6:27 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:27 AM: Starting File Sweep
6:28 AM: Found Adware: hotbar
6:28 AM: c:\program files\hbinst (ID = -2147480873)
6:28 AM: c:\documents and settings\all users.winnt\start menu\programs\net nanny 5 (6 subtraces) (ID = -2147475694)
6:28 AM: Found Adware: winactive
6:28 AM: activate desktop.lnk (ID = 89214)
6:29 AM: activate desktop.lnk (ID = 89214)
6:29 AM: Found Adware: purityscan
6:29 AM: backup-20041003-194116-539.inf (ID = 73158)
6:29 AM: Found Adware: instant access
6:29 AM: nocreditcard.lnk (ID = 63899)
6:36 AM: Found Trojan Horse: trojan downloader matcash
6:36 AM: autoit3.exe (ID = 119348)
6:36 AM: Found Adware: apropos
6:36 AM: atmtd.dll (ID = 166754)
6:36 AM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
6:36 AM: atmtd.dll._ (ID = 166754)
6:37 AM: Found Adware: gain-supported software
6:37 AM: gain publishing web site.url (ID = 61372)
6:37 AM: Found Adware: 180search assistant/zango
6:37 AM: backup-20050801-145257-439.inf (ID = 70515)
6:43 AM: File Sweep Complete, Elapsed Time: 00:15:24
6:43 AM: Full Sweep has completed. Elapsed time 00:17:09
6:43 AM: Traces Found: 89
********
5:44 AM: | Start of Session, Saturday, October 29, 2005 |
5:44 AM: Spy Sweeper started
5:44 AM: Messenger service has been disabled.
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 AM: Your spyware definitions have been updated.
5:46 AM: Sent error log: C:\Documents and Settings\Kimberley\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:25 AM: Program Version 4.5.5 (Build 607) Using Spyware Definitions 564
6:25 AM: | End of Session, Saturday, October 29, 2005 |
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Ad-Aware's AdWatch

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.aaawebfinder.com/sp2.php
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -


Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart and run a new HijackThis scan. Save the log file and post it here.

Please return with results from:

L2Mfix
Panda ActiveScan
HJT
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top