PDA

View Full Version : Cannot fix RegKeys... boo to me.



spoomaster
2005-12-21, 13:17
Having some trouble eliminating a nasty piece of malware, Spybot S&D and Adaware both can't seem to fix this regkey. I'll post a HJT log, if anyone has any advice I'd be happy to hear it. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 4:07:44 AM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devo\Desktop\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FFDA2AD7-784F-4CF6-9221-32716BC521CE} - C:\WINDOWS\system32\mknn.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\system32\windesktop.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\system32\windesktop.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

pskelley
2005-12-22, 06:34
Hello and welcome to the forum. You have some nasty infections and it might take a bit to clean this up. If you wish to be successful, you must follow the directions. Thanks to noahdfear and any others who helped with this fix.

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1)©noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm) on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)

Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {FFDA2AD7-784F-4CF6-9221-32716BC521CE} - C:\WINDOWS\system32\mknn.dll
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\system32\windesktop.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\system32\windesktop.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist. We will have more to do.

Thanks...pskelley
Safer Networking Forums

spoomaster
2005-12-25, 22:31
Well, that wasn't so bad. Time to post logs!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:05:25 PM, 12/25/2005
+ Report-Checksum: 7BA4C47B

+ Scan result:

C:\Documents and Settings\Devo\Cookies\devo@adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Devo\Cookies\devo@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Devo\Cookies\devo@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\system32\Fajgln32.exe -> Backdoor.Padodor.ax : Cleaned with backup
C:\WINDOWS\system32\paradise.raw.exe -> Proxy.Lager.f : Cleaned with backup
C:\WINDOWS\system32\windesktop.dll -> Worm.Maslan.j : Cleaned with backup
C:\WINDOWS\system32\windesktop.exe -> Worm.Maslan.k : Cleaned with backup
C:\WINDOWS\system32\wins32.dll -> Worm.Maslan.j : Cleaned with backup
C:\WINDOWS\system32\winselect.exe -> Worm.Maslan.k : Cleaned with backup


::Report End


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 12/25/2005
The current time is: 12:47:04.54

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 776 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

spoomaster
2005-12-25, 22:33
And finally...

Logfile of HijackThis v1.99.1
Scan saved at 1:27:09 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Devo\Desktop\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Devo\LOCALS~1\Temp\se.dll/space.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135163452000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe


Thanks for everyone's help, let me know if there is anything else I need to do!

pskelley
2005-12-25, 23:40
Hey Devo, Seems the instructions to post the PandaScan results was not highlited by noahdfear, but I do need to see that. Panda no longer removes stuff free, but it locates stuff other programs do not. I will look at the other logs and post the results, I would appreciate it if you do not have the PandaScan, run it again and post the results just to be safe. We want a clean computer.

smitRem © log file version 2.8 by noahdfear is CLEAN! Good news:dancing-c

ewido anti-malware - Scan report Created on: 1:05:25 PM, 12/25/2005

No surprises, everything located removed and I see no indication of any other problems.

Logfile of HijackThis v1.99.1 Scan saved at 1:27:09 PM, on 12/25/2005
Opps, this item is a marker for a variety of CoolWebSearch and we need to run a tool to remove it:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Devo\LOCALS~1\Temp\se.dll/space.html

Download Nikitas Tools: http://www.derbilk.de/SpSeHjfix112.zip
into a folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
Reboot and post the log and the log from the PandaScan and a new HJT log.

Thanks...Phil

spoomaster
2005-12-27, 07:05
Done and Done. Panda Scan found nothing so I did not bother to include a log. SPEfix found nothing as well, but just in case here is the log and a fresh HJT



(12/26/05 10:00:03 PM) SPSeHjFix started v1.1.2
(12/26/05 10:00:03 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/26/05 10:00:03 PM) Language: english
(12/26/05 10:00:03 PM) Win-Path: C:\WINDOWS
(12/26/05 10:00:03 PM) System-Path: C:\WINDOWS\system32
(12/26/05 10:00:03 PM) Temp-Path: C:\DOCUME~1\Devo\LOCALS~1\Temp\
(12/26/05 10:00:05 PM) Disinfection started
(12/26/05 10:00:05 PM) Bad-Dll(IEP): c:\docume~1\devo\locals~1\temp\se.dll
(12/26/05 10:00:05 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:00:05 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:00:05 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\devo\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(12/26/05 10:00:05 PM) Stealth-String not found
(12/26/05 10:00:05 PM) No locked Files to delete. End without Reboot
(12/26/05 10:00:17 PM) Disinfection started
(12/26/05 10:00:17 PM) Bad-Dll(IEP): c:\docume~1\devo\locals~1\temp\se.dll
(12/26/05 10:00:17 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:00:17 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:00:17 PM) Bad IE-pages: (none)
(12/26/05 10:00:17 PM) Stealth-String not found
(12/26/05 10:00:17 PM) No locked Files to delete. End without Reboot


(12/26/05 10:01:17 PM) SPSeHjFix started v1.1.2
(12/26/05 10:01:17 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/26/05 10:01:17 PM) Language: english
(12/26/05 10:01:17 PM) Win-Path: C:\WINDOWS
(12/26/05 10:01:17 PM) System-Path: C:\WINDOWS\system32
(12/26/05 10:01:17 PM) Temp-Path: C:\DOCUME~1\Devo\LOCALS~1\Temp\
(12/26/05 10:01:18 PM) Disinfection started
(12/26/05 10:01:18 PM) Bad-Dll(IEP): (not found)
(12/26/05 10:01:18 PM) Bad-Dll(IEP) in BHO: (not found)
(12/26/05 10:01:18 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:01:18 PM) UBF: 4 - UBB: 0 - UBR: 1
(12/26/05 10:01:18 PM) Bad IE-pages: (none)
(12/26/05 10:01:18 PM) Stealth-String not found
(12/26/05 10:01:18 PM) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 10:03:31 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Devo\Desktop\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135163452000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

Thanks for all your advice! You volunteers who donate your time to help out poor clueless souls like myself are doing such a great service, you all deserve big plates of freshly baked cookies or something...

pskelley
2005-12-27, 15:35
Thanks Devo for your kind words, I could use the cookies but I do work for the thanks and a hatred for this evil and the thanks is appreciated. This CWS stuff was hiding and when we shook up the nest it reared it's ugly head. The SPSeHjFix did locate and remove it. Located here: 12/26/05 10:00:03 PM, Disinfection started here: 12/26/05 10:00:05 PM, and deleted it here: 12/26/05 10:00:05 PM. I am not real familiar with this fix, I only know it works. It seems it runs several times during the process of cleaning.

Logfile of HijackThis v1.99.1 Scan saved at 10:03:31 PM, on 12/26/2005

This: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = is still in the log, it is clutter and sometimes they can be hard to remove. It is harmless but if you want it gone, try using HJT in safe mode: http://www.bleepingcomputer.com/forums/tutorial61.html Good opportunity to do maintenance, it will do a better job and complete faster in safe mode.

This: C:\Program Files\ewido anti-malware\ As much as I depend on ewido, I have to let you know that it does use a bunch of resources, so you should turn it off when the trial is over unless you purchase it. Keep the scanner and free updates for as long as you wish.

FYI: O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
http://castlecops.com/startuplist-6449.html

Your HJT log is free of malware,:dancing-c here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html

Because malware often gets backed up in the System Restore files and can reinfect you if you need them for a legitimate reason, follow these instruction to get clean files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Safe surfing...Phil

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi
2005-12-29, 13:36
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send a message to myself or pskelley.

Glad we could help. :)