View Full Version : surf sidekick
markus212
2006-04-01, 00:02
Recently I have had an enormous amount of pop ups, this was shortly after I foolishly went onto a keygen site
I ran a spyware scan, and surf sidekick keeps coming up, no matter how much I try to delete it, it wont go away, here is a hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 21:59:09, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\STEM32~1\spool32.exe
C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 69.50.166.14 yahoo.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [lssas Monitoring Startup] lssas.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKCU\..\Run: [Windows Compliant] qgnnmv.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Pldo] "C:\WINDOWS\STEM32~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Fekbmzt] C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O20 - AppInit_DLLs: repairs303169566.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n22ulcf91f2.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fp8603lse.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\command.exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I cant get rid of any of the surf side kick files here, can anybody help?
Hello and welcome, lets get started. :)
==
Please print these instructions out, or write them down, as you can't read them during the fix.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install Ewido Anti-malware
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click Update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
==
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
==
4. Once in Safe Mode, Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.
==
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:
markus212
2006-04-01, 17:25
I tried the ewido anti malware and it came up with 139 infections, it didn't let me save a log though, and I did the bfu scan too. I executed a bfu\alcanshorty.bfu.txt file, does that make any difference?
here is the hijackthis log anyway:
Logfile of HijackThis v1.99.1
Scan saved at 15:21:56, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\STEM32~1\spool32.exe
C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 69.50.166.14 yahoo.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [lssas Monitoring Startup] lssas.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKCU\..\Run: [Windows Compliant] qgnnmv.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Pldo] "C:\WINDOWS\STEM32~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Fekbmzt] C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O20 - AppInit_DLLs: repairs303169566.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n22ulcf91f2.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fp8603lse.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Lets go after SurfSideKick next. You sure have a lot infections there, please stick to the instructions and we'll get them :bigthumb:
RIGHT-CLICK HERE (http://downloads.subratam.org/Lon/sidekickFix.bat) and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix.
Save it in the same folder you made earlier (c:\BFU).
Please close ALL other open windows & explorer folder's, then double-click on sidekickFix.bat.
Click YES and follow the prompts, when prompted to restart the PC please do so.
Then please post back with a fresh HijackThis log by using AddReply. :)
markus212
2006-04-01, 21:44
I ran the file you told me to here is my latest hijackthis log, I'm still being plagued by hords of pop ups
Logfile of HijackThis v1.99.1
Scan saved at 19:41:25, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad7.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\STEM32~1\spool32.exe
C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\csrrs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [lssas Monitoring Startup] lssas.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKCU\..\Run: [Windows Compliant] qgnnmv.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Pldo] "C:\WINDOWS\STEM32~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Fekbmzt] C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n22ulcf91f2.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fp8603lse.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\command.exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Ok... Lets continue. :)
1) Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.
Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.
==
2) Create a folder on your desktop called Sysclean.
Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.
This file will be called lptXXX.zip (XXX represents the version number)
Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.
Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.
Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.
Open the sysclean-folder and double-click sysclean.com.
Check: "Automatically clean or delete detected files."
Click "Scan".
When the scan is finished, select: "View log".
Copy and paste this log in your next reply. :)
Hi.. before going to the above instructions, please try the following:
Please download NTrights.zip (http://www10.brinkster.com/expl0iter/freeatlast/NTrights.zip) by freeatlast.
If you can't access it, download NTrights.zip via here: http://www10.brinkster.com/expl0iter/freeatlast/dumprights.htm
Save it on your desktop.
Unzip/extract it.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Open the NTrights-folder
Double click on the Debug.bat file to run it, follow any prompts it asks.
REBOOT
Doubleclick the Debug.bat again after reboot.
It will create a log.
If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", you must be ok and things restored well
markus212
2006-04-02, 00:34
I did the Trend Micro Sysclean scan but it wont let me copy the log, It wont highlight
It should have created txt.log for you to look at. Please see if there's one.
Also, did you try the ntrights step? Please post a fresh HijackThis log.. :bigthumb:
markus212
2006-04-02, 18:33
the Debug.bat, showed me Granting SeDebugPrivilege to Administrators ... successful first time round before I rebooted the computer
here is the latest hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 16:31:40, on 02/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Winamp\Winamp.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Windows Compliant] qgnnmv.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Pldo] "C:\WINDOWS\STEM32~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Fekbmzt] C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n22ulcf91f2.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fp8603lse.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hmm. You still have a lot of stuff there. I guess we could go after them manually. :)
Please print these instructions out, or write them down, as you can't read them during the fix.
Please run a scan with HijackThis and check the following objects for removal:
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Windows Compliant] qgnnmv.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Pldo] "C:\WINDOWS\STEM32~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Fekbmzt] C:\Documents and Settings\Mark The Killer\Application Data\M?crosoft\javaw.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\n22ulcf91f2.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\fp8603lse.dll (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.
==
Click Start -> Run and type in: sc delete Network Monitor
Hit ok and reboot.
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
==
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.
Next, please navigate to and delete the following files/folders if present:
C:\PROGRAM FILES\TOOLBAR\
C:\Program Files\Toolbar888\
C:\windows\newname7.exe
C:\windows\mousepad7.exe
C:\windows\keyboard7.exe
C:\WINDOWS\system32\wuclient.exe
C:\PROGRAM FILES\MYWEBSEARCH\ <= Anything related to MyWebSearch
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
C:\Program Files\Network Monitor\
With Windows Search function locate and delete the following files if present:
winservicess.exe
mssupdate.exe
qgnnmv.exe
crsss.exe
PLEASE empty recycle bin.
==
Then post back with a fresh HijackThis log and let me know how it went. :bigthumb:
markus212
2006-04-03, 19:44
here is the latest hijackthis log, one of the MyWebSearch files wouldn't delete even in safe mode, I got rid of the rest though
Logfile of HijackThis v1.99.1
Scan saved at 17:42:20, on 03/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Looking better all the time :bigthumb:
Please run a scan with HijackThis and check the following object for removal:
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
Close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.
==
Post back with a fresh HijackThis log yet again, and let me know how's the system running. ;)
markus212
2006-04-04, 20:15
here is the latest hijackthis log, my system is improving ;) not as many pop ups as before
Logfile of HijackThis v1.99.1
Scan saved at 18:13:05, on 04/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/geaccess.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
markus212
2006-04-05, 21:13
ok, here is the logfile, it's too big to fit in so I'll have to post it in shifts:
Incident Status Location
Adware:adware/deskwizz Not disinfected C:\WINDOWS\SYSTEM32\ad.html
Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Potentially unwanted tool:application/mywebsearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Adware:adware/startpage.aao Not disinfected C:\WINDOWS\SYSTEM32\favico.dat
Dialer:dialer.xc Not disinfected C:\WINDOWS\SYSTEM32\paydial.exe
Dialer:dialer.bb Not disinfected C:\WINDOWS\SYSTEM32\tibs.exe
Adware:adware/ncase Not disinfected C:\TEMP\salmau.dat
Dialer:dialer.fie Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\gba1735.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX6_0001_N69M1503NetInstaller.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:adware/azesearch Not disinfected C:\WINDOWS\azesearch.bmp
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\tool.exe
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Potentially unwanted tool:application/funweb Not disinfected C:\PROGRAM FILES\FunWebProducts
Adware:adware/neededware Not disinfected C:\PROGRAM FILES\NDW
Potentially unwanted tool:application/spywarestormer Not disinfected C:\PROGRAM FILES\Spyware Stormer
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/windowenhancer Not disinfected C:\WINDOWS\SYSTEM32\SBUtils
Adware:adware/searchcat Not disinfected C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM
Adware:adware/searchexe Not disinfected Windows Registry
Dialer:dialer.xe Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{30CE93AE-4987-483C-9ABE-F2BD5301AB70}
Adware:adware/elitebar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@888[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adrevolver[3].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ads.tripod.lycos[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@anm.co[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@as-eu.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@banners.searchingbooth[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@belnk[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@bravenet[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@burstnet[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@c2.gostats[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@c3.gostats[2].txt
markus212
2006-04-05, 21:14
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@com[1].txt
Spyware:Cookie/Sexsuche Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@counter.sexsuche[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@delfinproject[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@doubleclick[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@errorsafe[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fastclick[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[3].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fortunecity[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@gostats[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@hc2.humanclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@hitbox[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@i.screensavers[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@kmpads[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@landing.domainsponsor[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@linkexchange[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@maxserving[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mediaplex[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mmm.media-motor[2].txt
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mp3search[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@revenue[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@searchportal.information[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@sel.as-eu.falkag[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@stats1.reliablestats[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@targetnet[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@toplist[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@tucows[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@uol.com[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@valueclick[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@winfixer[1].txt
markus212
2006-04-05, 21:15
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@wizzle[1].txt
Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.ademails[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.errorsafe[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@xmts[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@888[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@adrevolver[3].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ads.tripod.lycos[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@anm.co[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@as-eu.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@banners.searchingbooth[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@belnk[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@bravenet[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@burstnet[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@c2.gostats[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@c3.gostats[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@com[1].txt
Spyware:Cookie/Sexsuche Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@counter.sexsuche[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@delfinproject[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@doubleclick[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@errorsafe[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fastclick[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[2].txt
markus212
2006-04-05, 21:17
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fe.lea.lycos[3].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@fortunecity[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@gostats[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@hc2.humanclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@hitbox[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@i.screensavers[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@kmpads[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@landing.domainsponsor[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@linkexchange[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@maxserving[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mediaplex[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mmm.media-motor[2].txt
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@mp3search[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@revenue[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@searchportal.information[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@sel.as-eu.falkag[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@stats1.reliablestats[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@targetnet[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@toplist[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@tucows[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@uol.com[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@valueclick[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@winfixer[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@wizzle[1].txt
Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.ademails[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.errorsafe[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@www.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@xmts[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark The Killer\Cookies\mark the killer@zedo[2].txt
markus212
2006-04-05, 21:18
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Mark The Killer\Desktop\,\General (2)\hijackthis\backups\backup-20050501-191117-924.inf
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\backups\backup-20060403-164846-717.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\backups\backup-20060403-164846-953.inf
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@atwola[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@cassava[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@maxserving[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@realmedia[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Mark The Killer\Local Settings\Temp\Cookies\mark the killer@winfixer[2].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Miyoko\Cookies\miyoko@delfinproject[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Miyoko\Cookies\miyoko@xmts[1].txt
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet\freeprodtb.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EB66E293-D5A4-4DE9-ABE2-1FA5A4\AA765B4F-9AEA-4B69-8EA3-6CF20F
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
Dialer:Dialer.APH Not disinfected C:\WINDOWS\Downloaded Program Files\gba1735.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\RESTORE.INS[PSKILL.EXE]
Virus:Trj/Downloader.HXL Not disinfected C:\WINDOWS\sec.chm[page.htm]
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\sec.chm[UWAS5_0001_LP51NetInstaller.exe]
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\sec.chm[UWFX5_0001_LP1014NetInstaller.exe]
Adware:Adware/CWS Not disinfected C:\WINDOWS\sec.chm[xload.exe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system\RESTORE.INS[PSKILL.EXE]
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\ad.html
Spyware:Cookie/Gaytrafficbroker Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@gaytrafficbroker[1].txt
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EV6VO1CB\casino-ico[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EV6VO1CB\drugs[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EV6VO1CB\virus[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPZRAT3M\dating[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPZRAT3M\fav[2].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VLCADOKU\casino[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VLCADOKU\dating-ico[2].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VLCADOKU\dating[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXYNO1EF\casino-ico[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXYNO1EF\drugs-ico[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXYNO1EF\fav-ico[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXYNO1EF\virus[1].bmp
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\dr.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\f3PSSavr.scr
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\system32\in10thinInstDSTU43s.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lybhav-1.0.0.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\asappsrv.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\nqIVuV1ou3o0mZ5Pv3pV.vbs
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\__delete_on_reboot__command.exe
markus212
2006-04-05, 21:18
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Go ahead and uninstall/delete the programs/files we've used this far for the cleaning process.. :)
Please print these instructions out, or write them down, as you can't read them during the fix.
Before going to the Avenger..
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Next,
Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your C:\ drive (to your Local Disk).
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{30CE93AE-4987-483C-9ABE-F2BD5301AB70}]
Do NOT do anything with it yet!
==
Next:
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:
Files to delete:
C:\WINDOWS\SYSTEM32\ad.html
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\WINDOWS\SYSTEM32\favico.dat
C:\WINDOWS\SYSTEM32\paydial.exe
C:\WINDOWS\SYSTEM32\tibs.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX6_0001_N69M1503NetInstaller.exe
C:\drsmartload1.exe
C:\WINDOWS\azesearch.bmp
C:\WINDOWS\tool.exe
C:\WINDOWS\ubber60.ini
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
C:\WINDOWS\Downloaded Program Files\gba1735.exe
C:\WINDOWS\sec.chm
C:\WINDOWS\system32\dr.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\in10thinInstDSTU43s.dll
C:\WINDOWS\system32\lybhav-1.0.0.dll
Folders to delete:
C:\WINDOWS\TWFyayBUaGUgS2lsbGVy\
C:\PROGRAM FILES\FunWebProducts
C:\PROGRAM FILES\NDW
C:\PROGRAM FILES\Spyware Stormer
C:\PROGRAM FILES\COMMON FILES\InetGet
C:\WINDOWS\SYSTEM32\SBUtils
C:\Program Files\MyWebSearch\
Programs to launch on reboot:
C:\Fixit.reg
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to the notepad file into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it briefly opens a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
You should get an request for the Registry modification, Please allow it by hitting YES.
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :bigthumb:
markus212
2006-04-06, 00:33
avenger.txt
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\grpdojxa
*******************
Script file located at: \??\C:\WINDOWS\mjlrrewd.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\SYSTEM32\ad.html deleted successfully.
File C:\WINDOWS\SYSTEM32\atmtd.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\f3PSSavr.scr deleted successfully.
File C:\WINDOWS\SYSTEM32\favico.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\paydial.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tibs.exe deleted successfully.
File C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX6_0001_N69M1503NetInstaller.exe deleted successfully.
File C:\drsmartload1.exe deleted successfully.
File C:\WINDOWS\azesearch.bmp deleted successfully.
File C:\WINDOWS\tool.exe deleted successfully.
File C:\WINDOWS\ubber60.ini deleted successfully.
Error: C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn is a folder, not a file!
Deletion of file C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn failed!
Could not process line:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Status: 0xc00000ba
File C:\WINDOWS\Downloaded Program Files\gba1735.exe deleted successfully.
File C:\WINDOWS\sec.chm deleted successfully.
File C:\WINDOWS\system32\dr.exe deleted successfully.
File C:\WINDOWS\system32\f3PSSavr.scr not found!
Deletion of file C:\WINDOWS\system32\f3PSSavr.scr failed!
Could not process line:
C:\WINDOWS\system32\f3PSSavr.scr
Status: 0xc0000034
File C:\WINDOWS\uninstall_nmon.vbs deleted successfully.
File C:\WINDOWS\system32\in10thinInstDSTU43s.dll deleted successfully.
File C:\WINDOWS\system32\lybhav-1.0.0.dll deleted successfully.
Folder C:\WINDOWS\TWFyayBUaGUgS2lsbGVy deleted successfully.
Folder C:\PROGRAM FILES\FunWebProducts deleted successfully.
Folder C:\PROGRAM FILES\NDW deleted successfully.
Folder C:\PROGRAM FILES\Spyware Stormer deleted successfully.
Folder C:\PROGRAM FILES\COMMON FILES\InetGet deleted successfully.
Folder C:\WINDOWS\SYSTEM32\SBUtils deleted successfully.
Folder C:\Program Files\MyWebSearch deleted successfully.
Program C:\Fixit.reg successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
markus212
2006-04-06, 00:36
by the way, is add reply the same thing as post reply? I notice you've written it twice, I dont often post in forums
here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:34:25, on 05/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Yes, Post reply is the same as AddReply (I'm using "Canned Speeches" for some programs, and don't sometimes remember to edit them accordingly) :)
Please delete this file:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Other than that, how's the system running at the moment?
markus212
2006-04-06, 23:19
yeah the system is running much smoother now, there's the occasional harassment from winfixer 2006, some days it pops almost every 10 seconds, somedays it doesn't pop up at all,
thanks for all your help though, especially with that horrible surf side kick thing, I'm glad to see the back of it :bigthumb:
You can go ahead and delete/uninstall all the programs/files we used this far with the cleaning process. :)
==
Please download WebRoot SpySweeper from HERE (http://www.webroot.com/php/tryme.php?bjpc=64000&vcode=DT02) (It's a 2 week trial):
Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.
markus212
2006-04-09, 19:18
here is the spy sweeper session log:
Part 1
********
15:09: | Start of Session, 09 April 2006 |
15:09: Spy Sweeper started
15:09: Sweep initiated using definitions version 652
15:09: Starting Memory Sweep
15:17: Memory Sweep Complete, Elapsed Time: 00:07:36
15:17: Starting Registry Sweep
15:17: Found Adware: blazefind
15:17: HKCR\admilliservx.installer\ (3 subtraces) (ID = 104436)
15:17: HKLM\software\classes\admilliservx.installer\ (3 subtraces) (ID = 104466)
15:17: HKLM\software\classes\winservadx.installer\ (3 subtraces) (ID = 104512)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/admilliservx.dll\ (2 subtraces) (ID = 104525)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\admilliservx.dll (ID = 104540)
15:17: HKCR\winservadx.installer\ (3 subtraces) (ID = 104577)
15:17: Found Adware: blazefind_adstat
15:17: HKLM\software\classes\winformx.installer\ (3 subtraces) (ID = 104587)
15:17: HKCR\winformx.installer\ (3 subtraces) (ID = 104593)
15:17: Found Adware: elitemediagroup-mediamotor
15:17: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/m67m.ocx\ (2 subtraces) (ID = 140170)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\m67m.ocx (ID = 140199)
15:17: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
15:17: Found Trojan Horse: topconverting downloader
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\loader2.ocx (ID = 143829)
15:17: Found Trojan Horse: trojan_backdoor_retro64
15:17: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
15:17: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
15:17: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
15:17: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
15:17: Found Adware: winad
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
15:17: Found Adware: command
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
15:17: Found Adware: dollarrevenue
15:17: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
15:17: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
15:17: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1023385)
15:17: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023387)
15:17: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023399)
15:17: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
15:17: HKCR\appid\activex.dll\ || appid (ID = 1049592)
15:17: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1049593)
15:17: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
15:17: Found Adware: zquest
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
15:17: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
15:17: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
15:17: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
15:17: Found Adware: winantispyware 2005
15:17: HKCR\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1136990)
15:17: HKLM\software\classes\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1137248)
15:17: Found Adware: maxifiles
15:17: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
15:17: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
15:17: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
15:17: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
15:17: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
15:17: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
15:17: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
15:17: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
15:17: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
15:17: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
15:17: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
15:17: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
15:17: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
15:17: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
15:17: Found Adware: topsearch
15:17: HKLM\software\topmoxie\topsearch\ (2 subtraces) (ID = 1180367)
15:17: HKLM\software\winfixer_free\ (ID = 1201404)
15:17: Found Adware: internetoptimizer
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\avenue media\ (7 subtraces) (ID = 128887)
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 818746)
15:17: Found Adware: cws-aboutblank
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
15:17: Found Adware: freshbar
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\vd\ (ID = 126699)
15:17: Found Adware: findthewebsiteyouneed hijack
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\xbtb04715\ (71 subtraces) (ID = 1156401)
15:17: HKU\S-1-5-18\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: Registry Sweep Complete, Elapsed Time:00:00:41
15:17: Starting Cookie Sweep
15:17: Found Spy Cookie: a cookie
15:17: miyoko@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: touchclarity cookie
15:17: miyoko@barclays.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: delfinproject cookie
15:17: miyoko@delfinproject[1].txt (ID = 2509)
15:17: Found Spy Cookie: exitexchange cookie
15:17: miyoko@exitexchange[1].txt (ID = 2633)
15:17: miyoko@msn.touchclarity[1].txt (ID = 3566)
15:17: miyoko@theaa.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: 247realmedia cookie
15:17: mark the killer@247realmedia[2].txt (ID = 1953)
15:17: Found Spy Cookie: 2o7.net cookie
15:17: mark the killer@2o7[2].txt (ID = 1957)
15:17: Found Spy Cookie: about cookie
15:17: mark the killer@about[1].txt (ID = 2037)
15:17: Found Spy Cookie: yieldmanager cookie
15:17: mark the killer@ad.yieldmanager[2].txt (ID = 3751)
15:17: Found Spy Cookie: adrevolver cookie
15:17: mark the killer@adrevolver[1].txt (ID = 2088)
15:17: mark the killer@adrevolver[2].txt (ID = 2088)
15:17: Found Spy Cookie: adtech cookie
15:17: mark the killer@adtech[2].txt (ID = 2155)
15:17: Found Spy Cookie: advertising cookie
15:17: mark the killer@advertising[1].txt (ID = 2175)
15:17: Found Spy Cookie: adviva cookie
15:17: mark the killer@adviva[2].txt (ID = 2177)
15:17: Found Spy Cookie: apmebf cookie
15:17: mark the killer@apmebf[1].txt (ID = 2229)
15:17: Found Spy Cookie: atwola cookie
15:17: mark the killer@ar.atwola[1].txt (ID = 2256)
15:17: Found Spy Cookie: atlas dmt cookie
15:17: mark the killer@atdmt[2].txt (ID = 2253)
15:17: mark the killer@atwola[1].txt (ID = 2255)
15:17: mark the killer@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: bluestreak cookie
15:17: mark the killer@bluestreak[1].txt (ID = 2314)
15:17: Found Spy Cookie: bs.serving-sys cookie
15:17: mark the killer@bs.serving-sys[2].txt (ID = 2330)
15:17: Found Spy Cookie: casalemedia cookie
15:17: mark the killer@casalemedia[2].txt (ID = 2354)
15:17: mark the killer@compsimgames.about[2].txt (ID = 2038)
15:17: Found Spy Cookie: fastclick cookie
15:17: mark the killer@fastclick[2].txt (ID = 2651)
15:17: Found Spy Cookie: maxserving cookie
15:17: mark the killer@maxserving[1].txt (ID = 2966)
15:17: Found Spy Cookie: mediaplex cookie
15:17: mark the killer@mediaplex[1].txt (ID = 6442)
15:17: Found Spy Cookie: questionmarket cookie
15:17: mark the killer@questionmarket[1].txt (ID = 3217)
15:17: Found Spy Cookie: realmedia cookie
15:17: mark the killer@realmedia[2].txt (ID = 3235)
15:17: Found Spy Cookie: serving-sys cookie
15:17: mark the killer@serving-sys[2].txt (ID = 3343)
15:17: Found Spy Cookie: statcounter cookie
15:17: mark the killer@statcounter[1].txt (ID = 3447)
15:17: Found Spy Cookie: tradedoubler cookie
15:17: mark the killer@tradedoubler[1].txt (ID = 3575)
15:17: Found Spy Cookie: tribalfusion cookie
15:17: mark the killer@tribalfusion[1].txt (ID = 3589)
15:17: Found Spy Cookie: top-banners cookie
15:17: system@media.top-banners[1].txt (ID = 3548)
15:17: Cookie Sweep Complete, Elapsed Time: 00:00:07
15:17: Starting File Sweep
15:18: c:\program files\common files\winfixer 2006 (ID = -2147458863)
15:18: c:\program files\winfixer_2006 (ID = -2147458870)
15:19: a0157335.exe (ID = 275855)
15:19: a0157337.exe (ID = 275854)
15:19: a0141630.exe (ID = 133210)
15:19: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:19: Found Adware: effective-i toolbar
15:19: a0141624.exe (ID = 59853)
15:20: Found Trojan Horse: rbot
15:20: a0158872.exe (ID = 269648)
15:20: Found Adware: surfsidekick
15:20: a0141932.dll (ID = 242398)
15:20: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:21: a0157509.dll (ID = 273539)
15:21: a0160269.exe (ID = 244762)
15:21: a0150862.vbs (ID = 231442)
15:21: Found Adware: 180search assistant/zango
15:21: saap.log (ID = 70593)
15:21: saap_gdf.dat (ID = 70595)
15:22: Found Adware: delfin
15:22: a0146566.exe (ID = 164938)
15:22: a0158869.exe (ID = 231443)
15:22: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: Found Adware: look2me
15:23: a0141934.dll (ID = 163672)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: a0146565.ocx (ID = 194608)
15:24: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:25: Found Trojan Horse: trojan downloader matcash
15:25: a0157852.exe (ID = 246327)
15:26: a0146505.dll (ID = 208494)
15:27: a0157853.exe (ID = 246327)
15:27: a0157336.exe (ID = 275853)
15:29: aa765b4f-9aea-4b69-8ea3-6cf20f (ID = 244763)
15:31: winfixer2006freeinstall[1].cab (ID = 269737)
15:32: winfixer2006freeinstall[3].cab (ID = 269737)
15:35: newname7[1].exe (ID = 275855)
15:35: a0160336.vbs (ID = 231442)
15:39: a0157508.exe (ID = 273538)
15:39: a0146480.dll (ID = 242398)
15:39: winfixer2006freeinstall[2].cab (ID = 269737)
15:40: a0150861.exe (ID = 231443)
15:40: a0146477.exe (ID = 242428)
15:41: winfixer2006freeinstall[4].cab (ID = 269737)
15:42: a0141979.dll (ID = 163672)
15:43: a0146507.exe (ID = 208497)
15:43: a0144435.exe (ID = 194610)
15:45: a0146563.dll (ID = 194609)
15:46: a0144453.dll (ID = 159)
15:46: saapau.dat (ID = 70594)
15:46: a0155305.dll (ID = 159)
15:46: a0157517.dll (ID = 273831)
15:46: Found Adware: deskwizz
15:46: a0157854.exe (ID = 240959)
15:46: a0142129.dll (ID = 159)
15:47: a0144151.dll (ID = 159)
15:47: a0146481.dll (ID = 242399)
15:47: a0141930.dll (ID = 163672)
15:48: salm_kyf_update.dat (ID = 93790)
15:48: backup-20060403-164846-717.dll (ID = 244763)
15:48: a0155303.dll (ID = 163672)
15:48: a0157851.exe (ID = 269649)
15:48: a0153087.sys (ID = 238540)
15:49: Found Adware: whenu savenow
15:49: a0153088.exe (ID = 74460)
15:49: a0144434.dll (ID = 159)
15:49: a0146585.dll (ID = 159)
15:49: a0155304.dll (ID = 163672)
15:50: Found Adware: webhancer
15:50: a0157340.exe (ID = 267157)
15:50: a0157770.exe (ID = 185254)
15:50: a0157772.exe (ID = 244762)
15:50: a0160334.exe (ID = 144946)
15:51: a0146587.dll (ID = 159)
15:52: a0153086.dll (ID = 238551)
15:52: a0159908.dll (ID = 244763)
15:52: a0141622.exe (ID = 216718)
15:52: a0141931.exe (ID = 242428)
15:52: a0158867.exe (ID = 269649)
15:52: Found Adware: whenu save
15:52: a0153021.dll (ID = 182873)
15:52: Found Adware: purityscan
15:52: a0158868.exe (ID = 271320)
15:53: a0160270.dll (ID = 159)
15:54: a0155292.dll (ID = 163672)
15:54: a0141593.exe (ID = 185254)
15:55: a0148691.exe (ID = 238538)
15:55: a0144401.dll (ID = 159)
15:56: a0141626.dll (ID = 166754)
15:56: Found Adware: mirar webband
15:56: a0141625.exe (ID = 133208)
15:56: a0141629.dll (ID = 133227)
15:57: saap_kyf.dat (ID = 70596)
15:57: a0141617.exe (ID = 168558)
15:57: Found Adware: wildmedia
15:57: update10[1].xml (ID = 88967)
15:58: a0150191.exe (ID = 252966)
15:59: a0141634.exe (ID = 212831)
15:59: a0146586.dll (ID = 159)
16:00: a0146561.dll (ID = 159)
16:00: a0144422.dll (ID = 159)
16:00: a0141631.exe (ID = 212828)
16:00: a0141633.exe (ID = 212830)
markus212
2006-04-09, 19:19
part 2:
141947.exe (ID = 242377)
16:01: autoit3.exe (ID = 185254)
16:01: a0141953.dll (ID = 159)
16:02: a0141973.dll (ID = 159)
16:02: a0141978.exe (ID = 238554)
16:02: a0141933.dll (ID = 242399)
16:02: Found Adware: targetsaver
16:02: a0141628.exe (ID = 193501)
16:02: class-barrel (ID = 78229)
16:03: a0146557.dll (ID = 159)
16:03: a0141619.dll (ID = 195129)
16:03: a0153020.exe (ID = 233591)
16:03: vocabulary (ID = 78283)
16:03: a0141952.dll (ID = 242406)
16:04: a0141929.dll (ID = 144945)
16:04: a0157756.dll (ID = 244763)
16:04: a0141607.exe (ID = 144946)
16:04: a0141616.exe (ID = 215896)
16:06: a0159934.exe (ID = 275853)
16:06: m67m.inf (ID = 133213)
16:07: salm_gdf.dat (ID = 93789)
16:07: a0153022.exe (ID = 233592)
16:08: a0159933.exe (ID = 275854)
16:08: a0159932.exe (ID = 275855)
16:09: a0160332.dll (ID = 144945)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: a0144353.dll (ID = 159)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:10: a0146560.dll (ID = 159)
16:10: a0144433.dll (ID = 159)
16:11: a0160263.dll (ID = 166754)
16:11: atmtd.dll._ (ID = 166754)
16:11: a0141635.config (ID = 212361)
16:11: a0146558.dll (ID = 159)
16:12: a0142105.dll (ID = 159)
16:12: a0146559.dll (ID = 159)
16:14: salmau.dat (ID = 93788)
16:14: a0157667.ini (ID = 273524)
16:14: dh.ini (ID = 273524)
16:14: sk02[1].ini (ID = 273524)
16:14: a0160333.vbs (ID = 185675)
16:14: a0155265.ini (ID = 238253)
16:14: a0146577.vbs (ID = 185675)
16:15: Found Adware: azsearch toolbar
16:15: azesearch.inf (ID = 50327)
16:15: Found Adware: ist istbar
16:15: backup-20050501-191117-924.inf (ID = 64605)
16:15: Found Adware: wildflics
16:15: backup-20050501-191117-713.inf (ID = 122157)
16:15: a0141614.bat (ID = 212353)
16:15: a0141632.config (ID = 212358)
16:16: Warning: Unhandled Archive Type
16:21: Warning: Unhandled Archive Type
16:23: backup.zip (ID = 166754)
16:23: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:50: File Sweep Complete, Elapsed Time: 01:32:23
16:50: Full Sweep has completed. Elapsed time 01:40:55
16:50: Traces Found: 519
17:11: Removal process initiated
17:11: Quarantining All Traces: 180search assistant/zango
17:12: Quarantining All Traces: cws-aboutblank
17:12: Quarantining All Traces: ist istbar
17:12: Quarantining All Traces: look2me
17:12: Quarantining All Traces: purityscan
17:12: Quarantining All Traces: rbot
17:12: Quarantining All Traces: trojan downloader matcash
17:12: Quarantining All Traces: wildmedia
17:12: Quarantining All Traces: azsearch toolbar
17:12: Quarantining All Traces: blazefind
17:12: Quarantining All Traces: delfin
17:12: Quarantining All Traces: dollarrevenue
17:12: Quarantining All Traces: elitemediagroup-mediamotor
17:12: Quarantining All Traces: internetoptimizer
17:12: Quarantining All Traces: maxifiles
17:12: Quarantining All Traces: surfsidekick
17:13: Quarantining All Traces: topconverting downloader
17:13: Quarantining All Traces: trojan_backdoor_retro64
17:13: Quarantining All Traces: winad
17:13: Quarantining All Traces: zquest
17:13: Quarantining All Traces: blazefind_adstat
17:13: Quarantining All Traces: command
17:13: Quarantining All Traces: deskwizz
17:13: Quarantining All Traces: effective-i toolbar
17:13: Quarantining All Traces: findthewebsiteyouneed hijack
17:13: Quarantining All Traces: freshbar
17:13: Quarantining All Traces: mirar webband
17:13: Quarantining All Traces: targetsaver
17:14: Quarantining All Traces: topsearch
17:14: Quarantining All Traces: webhancer
17:14: Quarantining All Traces: wildflics
17:14: Quarantining All Traces: 247realmedia cookie
17:14: Quarantining All Traces: 2o7.net cookie
17:14: Quarantining All Traces: a cookie
17:14: Quarantining All Traces: about cookie
17:14: Quarantining All Traces: adrevolver cookie
17:14: Quarantining All Traces: adtech cookie
17:14: Quarantining All Traces: advertising cookie
17:14: Quarantining All Traces: adviva cookie
17:14: Quarantining All Traces: apmebf cookie
17:14: Quarantining All Traces: atlas dmt cookie
17:14: Quarantining All Traces: atwola cookie
17:14: Quarantining All Traces: bluestreak cookie
17:14: Quarantining All Traces: bs.serving-sys cookie
17:14: Quarantining All Traces: casalemedia cookie
17:14: Quarantining All Traces: delfinproject cookie
17:14: Quarantining All Traces: exitexchange cookie
17:14: Quarantining All Traces: fastclick cookie
17:14: Quarantining All Traces: maxserving cookie
17:14: Quarantining All Traces: mediaplex cookie
17:14: Quarantining All Traces: questionmarket cookie
17:14: Quarantining All Traces: realmedia cookie
17:14: Quarantining All Traces: serving-sys cookie
17:14: Quarantining All Traces: statcounter cookie
17:14: Quarantining All Traces: top-banners cookie
17:14: Quarantining All Traces: touchclarity cookie
17:14: Quarantining All Traces: tradedoubler cookie
17:14: Quarantining All Traces: tribalfusion cookie
17:14: Quarantining All Traces: whenu savenow
17:14: Quarantining All Traces: whenu save
17:14: Quarantining All Traces: winantispyware 2005
17:14: Quarantining All Traces: yieldmanager cookie
17:15: Removal process completed. Elapsed time 00:03:51
********
15:03: | Start of Session, 09 April 2006 |
15:03: Spy Sweeper started
15:07: Your spyware definitions have been updated.
15:09: | End of Session, 09 April 2006 |
Then one more HijackThis log. Go ahead and uninstall SpySweeper. :)
How's the system running now?
markus212
2006-04-11, 21:27
here is the hijackthis log, and my system is doing well :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 19:26:17, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Thats looking clean. Glad I was able to help. :)
==
Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Here's some tips for future to prevent spyware;
Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)
markus212
2006-04-13, 22:08
ok, thanks again for all your help :)
Since this issue is now resolved, this Topic has been archived. Should you need it reopened for any reason, please PM an Staff member with it's address and request. This only applies to the Original poster. Glad we were able to help. :)