Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hello,
My father has somehow contracted this virus onto my machine and so now I'm trying to get this thing off. I've been searching and it seems the only way to get it off is to really go through this process with hijackthis and the other programs. If you could please help me get rid of this virus, it would be much appreciated. I'm also interested to learn more about registry and identifying viruses on computers.

Logfile of HijackThis v1.99.1
Scan saved at 1:01:45 PM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\apppf32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\msif32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\StarWarsGalaxies\SWGClientSetup_r.exe
C:\Program Files\StarWarsGalaxies\SwgClient_r.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Razi\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {38D49FCA-F3B9-5C6A-6224-38F535ADED8E} - C:\WINDOWS\system32\javaaw32.dll
O2 - BHO: Class - {604368E9-EA0B-0E3E-E1F2-50F1DD1F7690} - C:\WINDOWS\system32\mfcbv.dll
O2 - BHO: (no name) - {647B7C3A-BE72-E122-772D-4D78A24E913E} - C:\WINDOWS\system32\winlm.dll
O2 - BHO: Class - {8C5AF52A-29FE-EBE7-5E7E-D3B62AE9D3CE} - C:\WINDOWS\system32\winlm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E2B46BD4-4A70-13F0-F1F4-DCA3DA3A0F33} - C:\WINDOWS\system32\winlm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ipht32.exe] C:\WINDOWS\ipht32.exe
O4 - HKLM\..\Run: [d3am.exe] C:\WINDOWS\system32\d3am.exe
O4 - HKLM\..\Run: [msif32.exe] C:\WINDOWS\msif32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099263789406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apppf32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





There's my log. Please reply and let me know what you think.
Thanks,
Keyan.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe
  1. Open CWShredder and click - I AGREE
  2. Click - Check For Update
  3. Close CWShredder after updating
HSFix.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\system32\apppf32.exe
    C:\WINDOWS\msif32.exe
    C:\WINDOWS\system32\ssyff.dll
    C:\WINDOWS\system32\javaaw32.dll
    C:\WINDOWS\system32\mfcbv.dll
    C:\WINDOWS\system32\winlm.dll
    C:\WINDOWS\ipht32.exe
    C:\WINDOWS\system32\d3am.exe
    C:\WINDOWS\msif32.exe
    C:\WINDOWS\system32\apppf32.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
  • ViewPoint
    WeatherBug

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
  1. Checkmark/tick - "Ignore Safe System Info Streams"
  2. Click the "Scan" button
  3. When it has finished scanning, checkmark/tick all that it found
  4. Click the "remove selected" button


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {38D49FCA-F3B9-5C6A-6224-38F535ADED8E} - C:\WINDOWS\system32\javaaw32.dll
O2 - BHO: Class - {604368E9-EA0B-0E3E-E1F2-50F1DD1F7690} - C:\WINDOWS\system32\mfcbv.dll
O2 - BHO: (no name) - {647B7C3A-BE72-E122-772D-4D78A24E913E} - C:\WINDOWS\system32\winlm.dll
O2 - BHO: Class - {8C5AF52A-29FE-EBE7-5E7E-D3B62AE9D3CE} - C:\WINDOWS\system32\winlm.dll
O2 - BHO: (no name) - {E2B46BD4-4A70-13F0-F1F4-DCA3DA3A0F33} - C:\WINDOWS\system32\winlm.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ipht32.exe] C:\WINDOWS\ipht32.exe
O4 - HKLM\..\Run: [d3am.exe] C:\WINDOWS\system32\d3am.exe
O4 - HKLM\..\Run: [msif32.exe] C:\WINDOWS\msif32.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apppf32.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folders, if present:
  • C:\Program Files\Viewpoint\
    C:\Program Files\AWS\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =



Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
    [*] Antispyware.log
    [*] About Buster
    [*] Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
2 Posts
Discussion Starter #3 (Edited)
Hi, sorry for the very late reply. I've been out of town as well as quite busy with work and school. I did most of this on the same day and did the last scan on another but the computer wasn't used between the times.

Anyway, here are the logs:

ACTIVESCAN.TXT

Incident Status Location

Virus:W32/Oscarbot.DI.worm Disinfected Operating system
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\System32\OLEEXT.dll
Virus:W32/Smitfraud.D Disinfected Operating system
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM32\oleext.dll
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkfy32.exe
Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Razi\Favorites\SITES ABOUT\Ab scissor.url
Adware:adware/searchaid No disinfected C:\Documents and Settings\Razi\Favorites\Only sex website.url
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/elitebar No disinfected C:\Documents and Settings\Razi\Favorites\Casino & Carrers
Adware:adware/psguard No disinfected C:\Documents and Settings\Razi\Application Data\Shudder Global Limited
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Razi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-6182d47b-3fffa3b8.zip[Dummy.class]
Virus:W32/Oscarbot.DI.worm Disinfected C:\Documents and Settings\Razi\Desktop\IMG00030.com
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Razi\Desktop\plugme.exe
Adware:Adware/IST.ISTBar No disinfected C:\plugg.exe
Hacktool:Hacktool/Hammer No disinfected C:\Program Files\Robster Productions\Halflife Logo Creator\HLC.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\blvsd.dll
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipqy32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netwr.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\system32\msuo32.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\plugme.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Virus:W32/Gaobot.KTE.worm Disinfected C:\WINDOWS\system32\wininit32.exe




ANTISPYWARE.LOG

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\IST'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'iebar' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform'
Found 'SearchAssistant' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Found 'Ab scissor.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Broadband comparison.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit counseling.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit report.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Crm software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Debt credit card.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Escorts.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Fha.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Health insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Help desk software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Insurance home.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for debt consolidation.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for people with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Marketing email.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Mortgage insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Nevada corporations.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online Betting Site.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online gambling casino.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online instant loan.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Order phentermine.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Payroll advance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Prescription Drugs Rx Online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Refinancing my mortgage.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Tahoe vacation rental.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Unsecured bad credit loans.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Videos.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'What is hydrocodone.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Only sex website.url' in 'C:\Documents and Settings\Razi\Favorites\'
Files and Directories
Found '' in 'C:\Documents and Settings\Razi\Favorites\Finances & Business'
Found '' in 'C:\Documents and Settings\Razi\Favorites\Health & Insurance'
Found '' in 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel'
Found '' in 'C:\Program Files\WinMX'
Found 'blvsd.dll' in 'C:\WINDOWS'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Razi\Favorites\Finances & Business' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Finances & Business' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Finances & Business'
Checking for 'C:\Documents and Settings\Razi\Favorites\Finances & Business\Human Resources.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Finances & Business\Human Resources.url' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Finances & Business\Human Resources.url'
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Health & Insurance'
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Dental Insurance.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Dental Insurance.url' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Dental Insurance.url'
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Term Life.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Term Life.url' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Health & Insurance\Term Life.url'
Checking for 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel'
Checking for 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel\International travel.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel\International travel.url' in startup areas.
Cleaning 'C:\Documents and Settings\Razi\Favorites\Homelife & Travel\International travel.url'
Checking for 'C:\Program Files\WinMX' in shortcut areas.
Checking for 'C:\Program Files\WinMX' in startup areas.
Cleaning 'C:\Program Files\WinMX'
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt'
Checking for 'C:\WINDOWS\blvsd.dll' in shortcut areas.
Checking for 'C:\WINDOWS\blvsd.dll' in startup areas.
Cleaning 'C:\WINDOWS\blvsd.dll'
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Scanning
Internet Cookies
Found 'serving-sys.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'as-us.falkag.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'SearchAssistant' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Internet URL Shortcuts
Found 'Ab scissor.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Broadband comparison.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit counseling.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit report.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Crm software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Debt credit card.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Escorts.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Fha.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Health insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Help desk software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Insurance home.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for debt consolidation.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for people with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Marketing email.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Mortgage insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Nevada corporations.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online Betting Site.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online gambling casino.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online instant loan.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Order phentermine.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Payroll advance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Prescription Drugs Rx Online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Refinancing my mortgage.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Tahoe vacation rental.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Unsecured bad credit loans.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Videos.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'What is hydrocodone.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Only sex website.url' in 'C:\Documents and Settings\Razi\Favorites\'
Files and Directories
Started Scanning
Internet Cookies
Found 'serving-sys.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'as-us.falkag.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'SearchAssistant' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Internet URL Shortcuts
Found 'Ab scissor.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Broadband comparison.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit counseling.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Credit report.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Crm software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Debt credit card.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Escorts.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Fha.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Health insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Help desk software.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Insurance home.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for debt consolidation.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Loan for people with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Marketing email.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Mortgage insurance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Nevada corporations.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online Betting Site.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online gambling casino.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Online instant loan.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Order phentermine.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Payroll advance.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Personal loans with bad credit.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Prescription Drugs Rx Online.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Refinancing my mortgage.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Tahoe vacation rental.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Unsecured bad credit loans.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Videos.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'What is hydrocodone.url' in 'C:\Documents and Settings\Razi\Favorites\Sites about\'
Found 'Only sex website.url' in 'C:\Documents and Settings\Razi\Favorites\'
Files and Directories
Found 'blvsd.dll' in 'C:\WINDOWS'
Found 'ymmsy.dll' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINDOWS\blvsd.dll' in shortcut areas.
Checking for 'C:\WINDOWS\blvsd.dll' in startup areas.
Cleaning 'C:\WINDOWS\blvsd.dll'
Checking for 'C:\WINDOWS\system32\ymmsy.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\ymmsy.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\ymmsy.dll'
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Internet URL Shortcuts
Files and Directories






HIJACKTHIS.LOG

Logfile of HijackThis v1.99.1
Scan saved at 8:00:52 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Razi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ssyff.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: Class - {38D49FCA-F3B9-5C6A-6224-38F535ADED8E} - C:\WINDOWS\system32\javaaw32.dll (file missing)
O2 - BHO: Class - {604368E9-EA0B-0E3E-E1F2-50F1DD1F7690} - C:\WINDOWS\system32\mfcbv.dll (file missing)
O2 - BHO: Class - {627E50E5-1ED2-24FD-2FCA-405711CBCC48} - C:\WINDOWS\javauj32.dll
O2 - BHO: (no name) - {647B7C3A-BE72-E122-772D-4D78A24E913E} - C:\WINDOWS\system32\winlm.dll (file missing)
O2 - BHO: Class - {8C5AF52A-29FE-EBE7-5E7E-D3B62AE9D3CE} - C:\WINDOWS\system32\winlm.dll (file missing)
O2 - BHO: Class - {8D7A8954-4170-2440-15FE-F1BE6735EBA6} - C:\WINDOWS\system32\mslb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E2B46BD4-4A70-13F0-F1F4-DCA3DA3A0F33} - C:\WINDOWS\system32\winlm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ipht32.exe] C:\WINDOWS\ipht32.exe
O4 - HKLM\..\Run: [d3am.exe] C:\WINDOWS\system32\d3am.exe
O4 - HKLM\..\Run: [msif32.exe] C:\WINDOWS\msif32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [Microsoft Update 64 BIT] wininit32.exe
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKLM\..\Run: [filit] C:\foobar.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] wininit32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099263789406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Razi\Desktop\progs\stuff\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






EWIDO REPORT

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:36:27 PM, 10/19/2005
+ Report-Checksum: CE33A80D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\Documents and Settings\Razi\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Quarantine -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\apizc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\etb\nt_hide76.dll -> Trojan.EliteBar.a : Cleaned with backup
C:\WINDOWS\etb\pokapoka76.exe -> Trojan.EliteBar.a : Cleaned with backup
C:\WINDOWS\n_avvzgt.txt -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\sysrm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32:mmaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\apilx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlls.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipnk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ippu32.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\javahp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcva.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End



AB LOGFILE . TXT

AboutBuster 5.1, reference file 32
Scan started on [10/19/2005] at [8:15:23 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\blvsd.dll
Removed File! : C:\WINDOWS\nmrdl.dll
Removed File! : C:\WINDOWS\uuoww.dat
Removed File! : C:\WINDOWS\vgbyf.dll
Removed File! : C:\WINDOWS\System32\dlbpf.dat
Removed File! : C:\WINDOWS\System32\kzzjm.dat
Removed File! : C:\WINDOWS\System32\ymmsy.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:16:17 PM







Before and After the scans and cleans, I always got these windows error messages saying that my computer may be infected. In addition, after the scans, my computer likes to randomly restart itself every 15 minutes or so.

Also, during this process, I was unable to delete the service requested in hijackthis. The service was not found. Also, there is a 'viewpoint toolbar' that could not be deleted.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top