Tech Support banner

Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
when i enter iexplorer it goes to a search page when the address bar says about:blank, and i have many popups, even when i'm not in iexplorer...
here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 14:44:58, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\WINXP\system32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\[email protected]\[email protected]
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\apidf.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\System32\cisvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\wdfmgr.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\System32\alg.exe
C:\WINXP\system32\ipbl32.exe
G:\downloads2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {2097D907-4A52-F6E0-7B61-6102FD481A0D} - C:\WINXP\system32\appcy32.dll
O2 - BHO: Class - {25905868-4B4C-1C89-33B0-5AD071543EAD} - C:\WINXP\system32\ipwc.dll
O2 - BHO: Class - {2FF78988-4A8F-F6A3-AA6D-714AD23DD78A} - C:\WINXP\ieya32.dll
O2 - BHO: Class - {366EE1F3-D08C-CDBF-5370-CAE8E0E66FA5} - C:\WINXP\system32\ielw32.dll
O2 - BHO: Class - {3680B5BA-02DA-86A5-9E36-DD513DBF72B3} - C:\WINXP\system32\mfcvi.dll
O2 - BHO: Class - {45118BA8-B437-7B6D-2115-698455E941F4} - C:\WINXP\addlx32.dll
O2 - BHO: Class - {55FF75B6-7B54-B982-9B64-C88197CE8C87} - C:\WINXP\system32\mfcof.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Class - {61CBC0B5-64A7-3683-97EB-9CF46CA2563C} - C:\WINXP\system32\sdkqp32.dll
O2 - BHO: Class - {622B92E1-D629-11FB-FBF5-1BFA6825D1D0} - C:\WINXP\addwe.dll
O2 - BHO: Class - {71DBFCAC-6674-EAE7-7114-77073960FE17} - C:\WINXP\winnd32.dll
O2 - BHO: Class - {7A9935DE-F8D0-077A-8898-BCDF460D7BA9} - C:\WINXP\system32\ntul32.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Class - {C872D83D-2CD0-46E0-41D1-3F6EF24A8004} - C:\WINXP\system32\sdklk32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINXP\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [atlug.exe] C:\WINXP\atlug.exe
O4 - HKLM\..\Run: [ipbl32.exe] C:\WINXP\system32\ipbl32.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O23 - Service: Network Security Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINXP\system32\apidf.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Maty Golovaty.MATY.001\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINXP\system32\ZONELABS\vsmon.exe




please help me if you can....
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe. Do not run it yet.

Download and save to your C: drive HSfix.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created
We'll need this later.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip the files to a folder on your Desktop. You will use this later.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Network Security Service ( 11F??#·÷??`I)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

Please go to the HSFix directory and double-click on HSFix.bat.
It will produce a log file, located here: C:\hslog.txt
Please post that log.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\stegb.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2097D907-4A52-F6E0-7B61-6102FD481A0D} - C:\WINXP\system32\appcy32.dll
O2 - BHO: Class - {25905868-4B4C-1C89-33B0-5AD071543EAD} - C:\WINXP\system32\ipwc.dll
O2 - BHO: Class - {2FF78988-4A8F-F6A3-AA6D-714AD23DD78A} - C:\WINXP\ieya32.dll
O2 - BHO: Class - {366EE1F3-D08C-CDBF-5370-CAE8E0E66FA5} - C:\WINXP\system32\ielw32.dll
O2 - BHO: Class - {3680B5BA-02DA-86A5-9E36-DD513DBF72B3} - C:\WINXP\system32\mfcvi.dll
O2 - BHO: Class - {45118BA8-B437-7B6D-2115-698455E941F4} - C:\WINXP\addlx32.dll
O2 - BHO: Class - {55FF75B6-7B54-B982-9B64-C88197CE8C87} - C:\WINXP\system32\mfcof.dll
O2 - BHO: Class - {61CBC0B5-64A7-3683-97EB-9CF46CA2563C} - C:\WINXP\system32\sdkqp32.dll
O2 - BHO: Class - {622B92E1-D629-11FB-FBF5-1BFA6825D1D0} - C:\WINXP\addwe.dll
O2 - BHO: Class - {71DBFCAC-6674-EAE7-7114-77073960FE17} - C:\WINXP\winnd32.dll
O2 - BHO: Class - {7A9935DE-F8D0-077A-8898-BCDF460D7BA9} - C:\WINXP\system32\ntul32.dll
O2 - BHO: Class - {C872D83D-2CD0-46E0-41D1-3F6EF24A8004} - C:\WINXP\system32\sdklk32.dll
O4 - HKLM\..\Run: [atlug.exe] C:\WINXP\atlug.exe
O4 - HKLM\..\Run: [ipbl32.exe] C:\WINXP\system32\ipbl32.exe
O23 - Service: Network Security Service ( 11F??#·÷??`I) - Unknown owner - C:\WINXP\system32\apidf.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINXP\system32\stegb.dll
C:\WINXP\system32\appcy32.dll
C:\WINXP\system32\ipwc.dll
C:\WINXP\ieya32.dll
C:\WINXP\system32\ielw32.dll
C:\WINXP\system32\mfcvi.dll
C:\WINXP\addlx32.dll
C:\WINXP\system32\mfcof.dll
C:\WINXP\system32\sdkqp32.dll
C:\WINXP\addwe.dll
C:\WINXP\winnd32.dll
C:\WINXP\system32\ntul32.dll
C:\WINXP\system32\sdklk32.dll
C:\WINXP\atlug.exe
C:\WINXP\system32\ipbl32.exe


Run CWSHredder now. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Restart and run a new HijackThis scan. Save the log file and post it here.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 19:20:44, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\WINXP\System32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\[email protected]\[email protected]
C:\WINXP\system32\ctfmon.exe
C:\WINXP\System32\cisvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\wdfmgr.exe
C:\WINXP\system32\ZONELABS\vsmon.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\System32\alg.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINXP\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Maty Golovaty.MATY.001\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINXP\system32\ZONELABS\vsmon.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Much better!

Please run the Panda online scan if you haven't, or post results if you have. If results were null, please let me know that.

How is your system now, please?
 

·
Registered
Joined
·
7 Posts
here is the report from pandasoftware.
other than that the system seems to run fine :)


Incident Status Location

Adware:Adware/Aureate-Radiate No disinfected C:\WINDOWS\SYSTEM\adimage.dll
Adware:Adware/Lop No disinfected C:\WINDOWS\Application Data\chblckessda.dll
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\KaZaA Lite\bdcore.dll.updpnd
Virus:Eicar.Mod Renamed C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\eicar.html
Adware:adware/gator No disinfected C:\GatorPatch.log
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-128d0a9d-67587279.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-719af9bf-43c3c497.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-719af9bf-43c3c497.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-719af9bf-43c3c497.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-719af9bf-43c3c497.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1ea46247-54461beb.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1ea46247-54461beb.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1ea46247-54461beb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1ea46247-54461beb.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-29f80a8d-1a41341c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-29f80a8d-1a41341c.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-29f80a8d-1a41341c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-29f80a8d-1a41341c.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-27f7ed28-4ed448a0.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-27f7ed28-4ed448a0.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-27f7ed28-4ed448a0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-27f7ed28-4ed448a0.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-6d4b95b1.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-6d4b95b1.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-6d4b95b1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-6d4b95b1.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5ab40560-70886b0c.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5ab40560-70886b0c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5ab40560-70886b0c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5ab40560-70886b0c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6cdbe9f1-5a3fc051.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6cdbe9f1-5a3fc051.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6cdbe9f1-5a3fc051.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6cdbe9f1-5a3fc051.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2d845bea.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2d845bea.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2d845bea.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2d845bea.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-4c90a232.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-4c90a232.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-4c90a232.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-4c90a232.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2d2fcfb-4317c2b5.zip[Dummy.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-413ba98a.zip[Beyond.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-413ba98a.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-413ba98a.zip[Dummy.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-413ba98a.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-5a4dfa50-6aa36e34.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-445834f2-522f7243.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-57722548-54ad80f8.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-3424e9ae-4a002082.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-1280b254-3fb77730.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Maty Golovaty.MATY.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-12ab912a-54162eec.class
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0124220.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125240.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125241.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125242.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125243.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125244.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125245.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125246.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125247.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125248.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125249.DLL
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP264\A0125250.dll
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\winll32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\apidf.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\crjy32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\winrn.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\javavg32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\netjm.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\addoq.exe
Adware:adware/navipromo No disinfected C:\WINXP\system32\sdksb32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\msxd32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\appfy32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\d3tn32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\crep.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\ntof32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\mshu32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\mfcbf32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\netsu.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\atlij.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\atlth32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\crgc.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\iehp.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\sysop.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\system32\javabb.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\goedkd.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\zsgglo.log
Adware:Adware/SearchAid No disinfected C:\WINXP\jipvzh.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\fhvbir.log
Adware:Adware/SearchAid No disinfected C:\WINXP\rkeocr.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\javabi32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\oloksh.txt
Adware:Adware/SearchAid No disinfected C:\WINXP\xfvgqh.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\wxzvkc.txt
Adware:Adware/SearchAid No disinfected C:\WINXP\fitgcr.log
Adware:Adware/SearchAid No disinfected C:\WINXP\xoebcw.log
Adware:Adware/SearchAid No disinfected C:\WINXP\mizars.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\lihdbd.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\ifixid.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\sdkkt.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\sysye.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\iejk.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\appom.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\appek.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\winkx32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\iela.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\atltn.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\winjc.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\crhc.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\addci32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\d3en.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\addjx.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\cbfsaj.log
Adware:Adware/SearchAid No disinfected C:\WINXP\apiem.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\apixx.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\sdkqq32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\iema.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\gqggdw.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\xywwzx.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\vuyxcl.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\ipzo.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\nvjcww.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\appgu32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\appcj.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\crtj32.exe
Adware:Adware/SearchAid No disinfected C:\WINXP\fjzujp.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\cwrpwo.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\wsbivj.dat
Adware:Adware/SearchAid No disinfected C:\WINXP\javazp32.exe
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Not done yet.....

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Click on Start->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.


Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\SYSTEM\adimage.dll
    C:\WINDOWS\Application Data\chblckessda.dll
    C:\WINXP\system32\winll32.exe
    C:\WINXP\system32\apidf.exe
    C:\WINXP\system32\crjy32.exe
    C:\WINXP\system32\winrn.exe
    C:\WINXP\system32\javavg32.exe
    C:\WINXP\system32\netjm.exe
    C:\WINXP\system32\addoq.exe
    C:\WINXP\system32\sdksb32.exe
    C:\WINXP\system32\msxd32.exe
    C:\WINXP\system32\appfy32.exe
    C:\WINXP\system32\d3tn32.exe
    C:\WINXP\system32\crep.exe
    C:\WINXP\system32\ntof32.exe
    C:\WINXP\system32\mshu32.exe
    C:\WINXP\system32\mfcbf32.exe
    C:\WINXP\system32\netsu.exe
    C:\WINXP\system32\atlij.exe
    C:\WINXP\system32\atlth32.exe
    C:\WINXP\system32\crgc.exe
    C:\WINXP\system32\iehp.exe
    C:\WINXP\system32\sysop.exe
    C:\WINXP\system32\javabb.exe
    C:\WINXP\goedkd.dat
    C:\WINXP\zsgglo.log
    C:\WINXP\jipvzh.dat
    C:\WINXP\fhvbir.log
    C:\WINXP\rkeocr.dat
    C:\WINXP\javabi32.exe
    C:\WINXP\oloksh.txt
    C:\WINXP\xfvgqh.dat
    C:\WINXP\wxzvkc.txt
    C:\WINXP\fitgcr.log
    C:\WINXP\xoebcw.log
    C:\WINXP\mizars.dat
    C:\WINXP\lihdbd.dat
    C:\WINXP\ifixid.dat
    C:\WINXP\sdkkt.exe
    C:\WINXP\sysye.exe
    C:\WINXP\iejk.exe
    C:\WINXP\appom.exe
    C:\WINXP\appek.exe
    C:\WINXP\winkx32.exe
    C:\WINXP\iela.exe
    C:\WINXP\atltn.exe
    C:\WINXP\winjc.exe
    C:\WINXP\crhc.exe
    C:\WINXP\addci32.exe
    C:\WINXP\d3en.exe
    C:\WINXP\addjx.exe
    C:\WINXP\cbfsaj.log
    C:\WINXP\apiem.exe
    C:\WINXP\apixx.exe
    C:\WINXP\sdkqq32.exe
    C:\WINXP\iema.exe
    C:\WINXP\gqggdw.dat
    C:\WINXP\xywwzx.dat
    C:\WINXP\vuyxcl.dat
    C:\WINXP\ipzo.exe
    C:\WINXP\nvjcww.dat
    C:\WINXP\appgu32.exe
    C:\WINXP\appcj.exe
    C:\WINXP\crtj32.exe
    C:\WINXP\fjzujp.dat
    C:\WINXP\cwrpwo.dat
    C:\WINXP\wsbivj.dat
    C:\WINXP\javazp32.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
Reboot into safe mode now.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Reboot into normal mode.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Choose Save, NOT run, and save to your desktop
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


Run a new scan with Panda ActiveScan.

Download fl.zip
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

Please return with results from:

Ewido
AntiSpyware.log
Panda Online scan
findlop.txt
Ab LogFile.txt from the run in the first fix I posted
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #7 ·
ewido:
I was unable to save a report, but it removed 251 infections..

AntiSpyware.log:
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning

Panda Online scan:
Incident Status Location

Virus:Eicar.Mod Renamed C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\eicar_html.vir
Adware:Adware/Aureate-Radiate No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP265\A0125304.dll
Adware:Adware/Aureate-Radiate No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP265\A0126225.dll
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{7A92D277-E81F-4C54-90CA-675738B4B2D3}\RP265\A0126226.dll
Adware:adware/navipromo No disinfected C:\WINXP\system32\sdkxf32.exe


findlop.txt:
Volume in drive C has no label.
Volume Serial Number is 3464-1CEA

Directory of C:\Documents and Settings\All Users\Application Data

11/27/2003 01:39 PM <DIR> .
11/27/2003 01:39 PM <DIR> ..
11/27/2003 01:39 PM <DIR> Microsoft
11/27/2003 01:50 PM <DIR> QuickTime
11/27/2003 01:50 PM <DIR> ACD Systems
11/28/2003 05:06 PM <DIR> nView_Profiles
12/03/2003 02:18 PM <DIR> NFS Underground
06/02/2004 05:48 PM <DIR> Spybot - Search & Destroy
08/08/2004 11:17 AM <DIR> MSN Messenger 6.2.0137
0 File(s) 0 bytes
9 Dir(s) 8,509,898,752 bytes free
Volume in drive C has no label.
Volume Serial Number is 3464-1CEA

Directory of C:\Documents and Settings\Default User\Application Data

11/28/2004 04:17 AM 62 desktop.ini
1 File(s) 62 bytes
0 Dir(s) 8,509,898,752 bytes free
Volume in drive C has no label.
Volume Serial Number is 3464-1CEA

Directory of C:\Documents and Settings\NetworkService\Application Data

Volume in drive C has no label.
Volume Serial Number is 3464-1CEA

Directory of C:\Documents and Settings\LocalService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '1-Click Maintenance.job'
[TRACE] Printing all job properties

ApplicationName: 'D:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe'
Parameters: '/schedulestart'
WorkingDirectory: ''
Comment: 'Starts 1-Click Maintenance at scheduled times'
Creator: 'Maty Golovaty'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 10/14/2005 17:15:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 08/07/2001
EndDate: 08/07/2005
StartTime: 17:15
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


Ab LogFile.txt:
AboutBuster 5.0 reference file 31
Scan started on [13/10/2005] at [00:52:18]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 00:52:24
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Well Done! Almost there.

The button to Save Report in Ewido was never activated?

Launch KillBox.exe & select the following options:

* delete on Reboot

Paste the following location into KILL BOX

C:\WINXP\system32\sdkxf32.exe

* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Confirm the file was deleted by running it through Killbox once again. If it tells you the file doesn't seem to exist, that's a good thing!

Restart your system, run a new scan with HJT, and post that new log here.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #9 ·
The button to Save Report in Ewido was activated but when i pressed it nothing happend...

ok here is the report from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 16:47:47, on 13/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\WINXP\System32\DeltTray.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\[email protected]\[email protected]
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\rundll32.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\wdfmgr.exe
C:\WINXP\system32\ZONELABS\vsmon.exe
C:\WINXP\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\system32\wuauclt.exe
G:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINXP\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Maty Golovaty.MATY.001\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINXP\system32\ZONELABS\vsmon.exe
 

·
Registered
Joined
·
1,462 Posts
Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:


How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #11 ·
the computer runs very well now...
i can't thank you enough for all your help... tou made my life a whole lot easier :)
once again, thank you so much...
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi mg3 -

Even though things look clear, I have a suspicion.

After performing the tasks SP has laid out for you, would you please run a new Panda scan, and post the results here?
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top