Tech Support Forum banner

plz help my hjt log and analyzer result

946 Views 7 Replies 3 Participants Last post by  Ried
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 03:31:08 ص, on 9/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\system32\internat.exe
C:\winstall.exe
C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\FlashGet\JetCar.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: Main Class - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\smarttag\MSNBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: SMSButton Class - {E0000C3F-8DE9-4FCB-9294-22FC06851B37} - C:\WINDOWS\System32\SmartSMS.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\W
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [ff] 221.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\RunServices: [ff] 221.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: NEOTION Video Link.lnk = C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
O4 - Global Startup: palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A383C327-542C-40CC-BEB3-561185A124D7}: NameServer = 212.118.133.101 62.149.114.7
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe


End of KRC HijackThis Analyzer Log.
====================================================================
See less See more
Status
Not open for further replies.
1 - 8 of 8 Posts
Please print the following instructions or save them to notepad.

Download smitRem at http://noahdfear.geekstogo.com/click counter/click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [StillImageMonitor] C:\W
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [ff] 221.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\RunServices: [ff] 221.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoftware.com/activescan/com/activescan_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
See less See more
The Log Files U Need Pls Reply Now

HERE ARE ALL THE RESULTS U ASKED I'M ON LINE AND WAITING FOR UR IMMEDIATE HELP AND THANKS MY FRIEND.


PANDA LOG FILE

Incident Status Location

Virus:Trj/Cimuz.X Disinfected Operating system
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\loadnew.exe
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall4_85.exe
Adware:adware/superspider No disinfected C:\WINDOWS\dl.exe
Adware:adware/savenow No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Virus:W32/Gaobot.ALK.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP280
Virus:W32/Gaobot.CZY.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP960
Virus:Trj/Cimuz.X Disinfected C:\WINDOWS\SYSTEM32\winacpi.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Virus:Trj/Downloader.ELZ Disinfected C:\WINDOWS\loadnew.exe
Virus:Bck/Shelldor.L Disinfected C:\WINDOWS\kl.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_85.exe
Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\hosts
Virus:Trj/Banker.ARO Disinfected C:\WINDOWS\getb.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Virus:Trj/Torpig.A Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Virus:Trj/Torpig.A Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Bck/Shelldor.L Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Dialer:Dialer.ABR No disinfected E:\HJT\backups\backup-20050428-231623-904.inf
Adware:Adware/PurityScan No disinfected E:\HJT\backups\backup-20050428-231623-114.inf
HJT LOG FILE

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:43:07 ?, on 9/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
C:\WINDOWS\system32\mdms.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: Main Class - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\smarttag\MSNBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: SMSButton Class - {E0000C3F-8DE9-4FCB-9294-22FC06851B37} - C:\WINDOWS\System32\SmartSMS.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_204363] C:\WINDOWS\system32\ActiveScan\pavdr.exe 204363
O4 - HKLM\..\RunOnce: [Panda_cleaner_49437] C:\WINDOWS\system32\ActiveScan\pavdr.exe 49437
O4 - Global Startup: NEOTION Video Link.lnk = C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A383C327-542C-40CC-BEB3-561185A124D7}: NameServer = 212.118.133.101 62.149.114.7
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================

SMIT LOG FILE

smitRem log file
version 2.3

by noahdfear

The current date is: Sun 09/18/2005
The current time is: 0:58:19.31

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe


~~~ Wininet.dll ~~~

CLEAN! :)

EWIDO LOG FILE

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 08:49:06 م, 9/21/2005
+ Report-Checksum: 113A1311

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} -> Spyware.MSNSmartTags : Ignored
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9DD4258A-7138-49C4-8D34-587879A5C7A4} -> Spyware.MSNSmartTags : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{1678F7E1-C422-11D0-AD7D-00400515CAAA} -> Spyware.CometCursor : Ignored
[980] C:\WINDOWS\system32\winacpi.dll -> TrojanProxy.Cimuz.ai : Ignored
[1408] C:\WINDOWS\system32\winacpi.dll -> TrojanProxy.Cimuz.ai : Ignored
C:\WINDOWS\SYSTEM32\TFTP280 -> Backdoor.Rbot : Ignored
C:\WINDOWS\SYSTEM32\TFTP960 -> Heuristic.Win32.Morphine-Crypted : Ignored
C:\WINDOWS\SYSTEM32\winacpi.dll -> TrojanProxy.Cimuz.ai : Ignored
C:\WINDOWS\loadnew.exe -> TrojanDownloader.Agent.tk : Ignored
C:\WINDOWS\kl.exe -> TrojanDropper.Small.aek : Ignored
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Ignored
C:\WINDOWS\hosts -> Trojan.Qhost.k : Ignored
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> TrojanSpy.Small.ak : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> TrojanSpy.Agent.bu : Ignored
C:\Program Files\iMesh\Client\cd_install_338.exe/cd_clint.dll -> Spyware.Cydoor : Ignored
C:\Program Files\iMesh\Client\DatingCity\DCInstaller.exe -> Spyware.DatingCity : Ignored
C:\Program Files\ICQ\NDetect.exe -> Backdoor.IP_Protect : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> Spyware.TSCash : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrojanDownloader.IstBar : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> Spyware.Cookie.180solutions : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> Spyware.Cookie.7search : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> Spyware.Cookie.Ad-flow : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.Enliven : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> Spyware.Cookie.Ads360 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> Spyware.Cookie.Ads360 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> Spyware.Cookie.Ads360 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> Spyware.Cookie.Counted : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> Spyware.Cookie.Comclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB7.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB8.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBA.tmp -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC4.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC6.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCA.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCB.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCC.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCE.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD0.tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD1.tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2.tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3.tmp -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD4.tmp -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD9.tmp -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDC.tmp -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD.tmp -> Spyware.Cookie.Mainentrypoint : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE1.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE2.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE3.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE8.tmp -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE9.tmp -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEA.tmp -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEB.tmp -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEC.tmp -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqED.tmp -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEF.tmp -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF1.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF2.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF3.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF4.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF5.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF6.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF9.tmp -> Spyware.Cookie.Realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFC.tmp -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFD.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFE.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq103.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq105.tmp -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq106.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq108.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10A.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10B.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10C.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10E.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10F.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq110.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq115.tmp -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq116.tmp -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq117.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq118.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq119.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11A.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11B.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11E.tmp -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq120.tmp -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\nasser\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\nasser\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\nasser\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup


::Report End
See less See more
Hello pharaoh00,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode.(tapping F8 or F5)

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\loadnew.exe
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\mdms.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe

Reboot back into Safe Mode.

Run Ewido again and this time, go ahead and select 'Remove' and ''Perform action on all infections'.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Reboot into Normal Mode.

Run another online scan with Panda, post those results along with the results of the Ewido Scan and a new HijackThis log.
See less See more
latest log file

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 05:44:01 ?, on 9/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: SMSButton Class - {E0000C3F-8DE9-4FCB-9294-22FC06851B37} - C:\WINDOWS\System32\SmartSMS.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - Global Startup: NEOTION Video Link.lnk = C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A383C327-542C-40CC-BEB3-561185A124D7}: NameServer = 212.93.192.4 212.93.192.5
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================



Incident Status Location

Adware:adware/superspider No disinfected C:\WINDOWS\dlm.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Dialer:Dialer.ABR No disinfected E:\HJT\backups\backup-20050428-231623-904.inf
Adware:Adware/PurityScan No disinfected E:\HJT\backups\backup-20050428-231623-114.inf
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 04:28:02 ص, 9/23/2005
+ Report-Checksum: C83C71B5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} -> Spyware.MSNSmartTags : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9DD4258A-7138-49C4-8D34-587879A5C7A4} -> Spyware.MSNSmartTags : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{1678F7E1-C422-11D0-AD7D-00400515CAAA} -> Spyware.CometCursor : Cleaned with backup
C:\WINDOWS\SYSTEM32\winacpi.dll -> TrojanProxy.Cimuz.ai : Cleaned with backup
C:\Program Files\iMesh\Client\cd_install_338.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
C:\Program Files\iMesh\Client\DatingCity\DCInstaller.exe -> Spyware.DatingCity : Cleaned with backup
C:\Program Files\ICQ\NDetect.exe -> Backdoor.IP_Protect : Cleaned with backup
C:\Documents and Settings\nasser\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End
See less See more
Hi,

Rebbot into Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\dlm.exe
C:\WINDOWS\mstasks1.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

Reboot into Normal Mode. Another scan with Panda and HijackThis please. Post both logs here.
See less See more
i hope this is the last step
and thanks



====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:10:44 ?, on 9/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: SMSButton Class - {E0000C3F-8DE9-4FCB-9294-22FC06851B37} - C:\WINDOWS\System32\SmartSMS.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - Global Startup: NEOTION Video Link.lnk = C:\Program Files\NEOTION\NEOTION Video Link\Bin\ASLaunch.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\System32\SmartSMS.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A383C327-542C-40CC-BEB3-561185A124D7}: NameServer = 212.118.133.101 62.149.114.7
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================


Incident Status Location

Adware:adware/superspider No disinfected C:\WINDOWS\msstasks.exe
Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp
Adware:Adware/TSCash No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Dialer:Dialer.ABR No disinfected E:\HJT\backups\backup-20050428-231623-904.inf
Adware:Adware/PurityScan No disinfected E:\HJT\backups\backup-20050428-231623-114.inf
See less See more
Ok, this is what I'd like you to do:

Reboot into Safe Mode.

Run Ewido again and this time, I'd like you to let Ewido remove what it finds:

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to remove, select the option - "Perform action on all infections" - & choose remove and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

Run Killbox
Copy/paste the following entry in Killbox:

C:\WINDOWS\msstasks.exe

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

Reboot into Normal Mode. Run another scan with Panda and post those results along with the Ewido report and another HijackThis log.
See less See more
1 - 8 of 8 Posts
Status
Not open for further replies.
Top