PDA

View Full Version : Your Help Greatly Appreciated...



shayshay2k
2006-05-14, 03:14
Hi, so I just came across this site while trying to fix my computer because of an incredible amount of malware/spyware/adware/whatever else I could have gotten. So, these are all the logs I was directed to save and paste on here for help. I got the directions as to what I needed from here:
http://forums.spybot.info/showthread.php?t=4015

I'll paste the logs in the order I scanned with them.

SmitFraudFix v2.43

Scan done at 15:36:36.50, Sat 05/13/2006
Run from C:\Documents and Settings\Administrator.SHAYMUS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\osaupd.exe FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\wupdmgr.exe FOUND !
C:\WINDOWS\ZServ.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\CWS_iestart.exe FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\mirarsearch_toolbar.exe FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\shell386.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\winapi32.dll FOUND !
C:\WINDOWS\system32\winbrume.dll FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !
C:\WINDOWS\system32\winsrv32.exe FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator.SHAYMUS\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1.SHA\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_15.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_15.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:42:18 PM, 5/13/2006
+ Report-Checksum: F5920F6C

+ Scan result:

HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\Bridge.brdg -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Cleaned with backup
HKU\S-1-5-21-436374069-1645522239-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A19EF336-01D4-48E6-926A-FE7E1C747AED} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-436374069-1645522239-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA7FF3F8-08BE-4CAC-BC00-94D91C6AE7F4} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-436374069-1645522239-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-436374069-1645522239-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F65B197F-8260-4D52-909A-F70118E646EB} -> Adware.MWSearch : Cleaned with backup
C:\Documents and Settings\Administrator.SHAYMUS\Local Settings\Temp\i93.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Administrator.SHAYMUS\Local Settings\Temp\temp.fr162A -> Not-A-Virus.Hoax.Win32.Renos.cq : Cleaned with backup
C:\Documents and Settings\Administrator.SHAYMUS\Local Settings\Temp\temp.fr4447 -> Not-A-Virus.Hoax.Win32.Renos.cq : Cleaned with backup
C:\Documents and Settings\Shay\Cookies\shay@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Shay\Cookies\shay@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Shay\Cookies\shay@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Shay\Cookies\shay@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Shay\Cookies\shay@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\shell386.exe -> Not-A-Virus.Hoax.Win32.Renos.cm : Cleaned with backup
C:\WINDOWS\system32\tc.dll -> Proxy.Agent.df : Cleaned with backup
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\winapi32.dll -> Not-A-Virus.Hoax.Win32.Renos.ck : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\winmuse.exe -> Downloader.Agent.akj : Cleaned with backup
C:\WINDOWS\system32\winsrv32.exe -> Not-A-Virus.Hoax.Win32.Renos.cl : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup

::Report End

shayshay2k
2006-05-14, 03:17
Spybot--- Search result list ---
VX2.g.SiteHlpr: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FFD2825E-0785-40C5-9A41-518F53A8261F}

ABetterInternet: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000}

Admess: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\WStart.WHttpHelper.1

Admess: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\WStart.WHttpHelper

BlazeFind.Bridge: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}

BlazeFind.Bridge: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

CoolWWWSearch.Feat2Installer: Autorun settings (Transponder) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Transponder

DailyToolbar: System file (File, fixed)
C:\WINDOWS\system32\DailyToolbar.dll

DailyToolbar: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8333C319-0669-4893-A418-F56D9249FCA6}

DailyToolbar: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{58F9B276-E1CC-458E-8159-21CBC021874B}

SpywareNo: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B52CCF85-726D-471C-B72C-CA9F104C5B98}

SpywareNo: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{B52CCF85-726D-471C-B72C-CA9F104C5B98}

SpywareNo: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\winapi32.MyBHO

Statblaster.All files7: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge

Statblaster.All files7: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{80BB7465-A638-43B5-9827-8E8FE38DFCC1}

Statblaster.All files7: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{C094876D-1B0E-46FA-B6A6-7FFC0F970C27}

VX2.b.BDS: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Transponder

Windows.ActiveDesktop: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-436374069-1645522239-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1

--- Spybot - Search && Destroy version: 1.3 ---
2006-05-12 Includes\Cookies.sbi
2006-05-12 Includes\Dialer.sbi
2006-05-12 Includes\Hijackers.sbi
2006-05-12 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-05-12 Includes\Malware.sbi
2006-05-12 Includes\PUPS.sbi
2006-05-12 Includes\Revision.sbi
2006-05-12 Includes\Security.sbi
2006-05-12 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-05-12 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)

--- Startup entries list ---
Located: HK_LM:Run, Adware.Srv32
command: C:\WINDOWS\system32\runsrv32.exe
file: C:\WINDOWS\system32\runsrv32.exe
size: 8192
MD5: 852209c328ec868bf829730a682fa24d

Located: HK_LM:Run, IntelliType
command: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
file: C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
size: 94208
MD5: b5eca5948d7f8eaa00333231f33ea31a

Located: Startup (disabled), InterVideo WinCinema Manager (DISABLED)
command: C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE
file: C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE
size: 184320
MD5: 89528b9d5809a941eb2377b4745d601d

Located: Startup (disabled), qxhq (DISABLED)
command: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\qxhq.exe

--- Browser helper object list ---
{00000000-59D4-4008-9058-080011001200} ()
BHO name:
CLSID name:

{00000000-F09C-02B4-6EC2-AD0300000000} ()
BHO name:
CLSID name:

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 10/12/2004 7:44:12 PM
Date (last access): 5/13/2006 4:31:18 PM
Date (last write): 4/16/2001 4:39:02 PM
Filesize: 37808
Attributes: archive
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0

{196B9CB5-4C83-46F7-9B06-9672ECD9D99B} ()
BHO name:
CLSID name:

{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} ()
BHO name:
CLSID name:

{7564B020-44E8-4c9b-A887-C6EC41AC67DA} (CFG32S)
BHO name: CFG32S
CLSID name: CPub Object

{7b55bb05-0b4d-44fd-81a6-b136188f5deb} ()
BHO name:
CLSID name:

{8333c319-0669-4893-a418-f56d9249fca6} ()
BHO name:
CLSID name:

{C68AE9C0-0909-4DDC-B661-C1AFB9F59898} (Scaggy Insert)
BHO name: Scaggy Insert
CLSID name: CPub Object

--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 5/20/2005 11:54:50 PM
Date (last access): 5/13/2006 12:38:14 PM
Date (last write): 9/9/2004 2:49:12 PM
Filesize: 54488
Attributes: archive
MD5: 943193399C341AC34E842CB07B5F29A0
CRC32: 12DEB8F4
Version: 0.10.0.1

{3A7FE611-1994-4EF1-A09F-99456752289D} ()
DPF name:
CLSID name:

{54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class)
DPF name:
CLSID name: EARTPatchX Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EARTPX.dll
Short name:
Date (created): 10/26/2003 3:25:18 PM
Date (last access): 5/13/2006 6:45:22 PM
Date (last write): 10/26/2003 3:25:18 PM
Filesize: 133712
Attributes: archive
MD5: B58365C0A1A1A1E94BFD07FD7CC9314C
CRC32: 9D644047
Version: 0.1.0.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 3/20/2005 10:31:32 PM
Date (last access): 4/8/2006 2:06:36 PM
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 0.5.0.8

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 3:36:50 AM
Date (last access): 5/11/2006 10:09:32 PM
Date (last write): 3/4/2005 3:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 0.5.0.0

{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 3:36:50 AM
Date (last access): 5/13/2006 6:54:52 PM
Date (last write): 3/4/2005 3:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 0.5.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash8a.ocx
Short name:
Date (created): 1/2/2006 11:13:28 AM
Date (last access): 5/13/2006 3:23:22 PM
Date (last write): 1/2/2006 11:13:28 AM
Filesize: 1443464
Attributes: readonly archive
MD5: 3066BB99502AE33AE44F17954AF56B8F
CRC32: 658FAE72
Version: 0.8.0.0

{D7BF3304-138B-4DD5-86EE-491BB6A2286C} ()
DPF name:
CLSID name:

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object

{FA13A9FA-CA9B-11D2-9780-00104B242EA3} ()
DPF name:
CLSID name:

--- Process list ---
Spybot - Search && Destroy process list report, 5/13/2006 6:54:51 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 156 ( 4) \SystemRoot\System32\smss.exe
PID: 216 ( 156) csrss.exe
PID: 240 ( 156) \??\C:\WINDOWS\system32\winlogon.exe
PID: 284 ( 240) C:\WINDOWS\system32\services.exe
PID: 296 ( 240) C:\WINDOWS\system32\lsass.exe
PID: 456 ( 284) C:\WINDOWS\system32\svchost.exe
PID: 520 ( 284) svchost.exe
PID: 564 ( 284) C:\WINDOWS\system32\svchost.exe
PID: 784 ( 764) C:\WINDOWS\Explorer.EXE
PID: 800 ( 784) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PID: 1844 ( 784) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 5/13/2006 6:54:51 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

THE REPORT WILL CONTINUE NEXT POST - TOO BIG

shayshay2k
2006-05-14, 03:17
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C135CD5D-1818-4FED-BF1E-15D5EB42AA6F}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C135CD5D-1818-4FED-BF1E-15D5EB42AA6F}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C0F20A57-0EF8-44EB-A8A0-0A3B95F5999B}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C0F20A57-0EF8-44EB-A8A0-0A3B95F5999B}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A7A0B36-F387-47EE-9142-1D0D5B7CBBF2}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A7A0B36-F387-47EE-9142-1D0D5B7CBBF2}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA58990C-477A-4E0C-90E3-9A2948303695}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA58990C-477A-4E0C-90E3-9A2948303695}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F41B9E8-0D51-4001-AEDC-A7F556F0355D}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9F41B9E8-0D51-4001-AEDC-A7F556F0355D}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C999412D-841F-4C5E-80CE-63B3DDC30A9F}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C999412D-841F-4C5E-80CE-63B3DDC30A9F}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6A011D48-2485-4EB3-A85C-C0DA87D43758}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6A011D48-2485-4EB3-A85C-C0DA87D43758}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{15C20333-F349-4149-9F91-BEA48B5F242A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{15C20333-F349-4149-9F91-BEA48B5F242A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07F4388C-9208-42CC-BBF3-3F26578CB061}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07F4388C-9208-42CC-BBF3-3F26578CB061}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
-END OF REPORT-

[U]SmitFraudFix v2.43 - (This is after running it again)

Scan done at 18:56:04.15, Sat 05/13/2006
Run from C:\Documents and Settings\Administrator.SHAYMUS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\bridge.dll Deleted
C:\WINDOWS\system32\CWS_iestart.exe Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\mirarsearch_toolbar.exe Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\wstart.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of HijackThis v1.99.1
Scan saved at 7:01:34 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120686901041
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O21 - SSODL: VZtOEVByHbr - {30B0B721-9A1A-1D8B-08BA-7B1261EE5E62} - C:\WINDOWS\system32\tc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

-END OF LOG-


If anyone could help me, I would appreciate it so much. I had a problem with something similar probably 7 months ago (spysherriff crap) and I managed to fix it by myself, just by searching for files by time created and everything, and running spybot/adaware/kaspersky. This one seems to be too much for me though.

Thanks again for any help!

LonnyRJones
2006-05-17, 18:59
Hi shayshay2k
Replace SpyBot 1.3 with the current version, 1.4 and run a check for problems and fix any problems found.
http://www.safer-networking.org/en/download/index.html

Post back with a fresh hijackthis log and mention any problems you have noticed.

tashi
2006-05-22, 16:37
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.

shayshay2k
2006-06-01, 04:34
My last post, I ended up forgetting about because I managed to fix the problems I had. Anyway, here is a fresh HijackThis log after running into more problems.

Logfile of HijackThis v1.99.1
Scan saved at 8:32:53 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120686901041
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\javaw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
O21 - SSODL: VZtOEVByHbr - {30B0B721-9A1A-1D8B-08BA-7B1261EE5E62} - C:\WINDOWS\system32\tc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

tashi
2006-06-01, 05:08
If you need it re-opened please send me or your helper a pm and provide a link to the thread.



Two topics merged. ;)

LonnyRJones
2006-06-01, 18:53
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\javaw.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
O21 - SSODL: VZtOEVByHbr - {30B0B721-9A1A-1D8B-08BA-7B1261EE5E62} - C:\WINDOWS\system32\tc.dll (file missing)
====================================
Hit fix checked (disregard the Hijackthis error) and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post another log and mention any current problems.
Also: Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

tashi
2006-06-08, 09:53
shayshay2k?

tashi
2006-06-11, 10:40
This topic is closed due to lack of a response.
If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.

tashi
2006-06-18, 00:04
Re-opened.

shayshay2k
2006-06-18, 00:27
Alright, thanks for reopening this and helping me out.

Ok, I would post a HijackThis log, but whenever I scan it and hit "save log", the program just quits on me. I uninstalled/reinstalled it and I'm still running into that problem. So, we need to clear that hurdle first. Solutions?

LonnyRJones
2006-06-18, 03:17
"whenever I scan it and hit "save log", the program just quits on me"

Does a log get created where you save it to ?
Have any problems opening other .log files ?

Where is the blacklite log ?

shayshay2k
2006-06-18, 04:20
Isn't it supposed to ask me where I want to save the log? If not, how can I found out where it's saving? When I did it last time (If I'm remembering right) HT asked me to choose a place for the log. It's not doing that right now. the program is just closing. Am I remembering wrong, or is it not working? Old HT logs I can open, but they are old. Other .log files are fine too for other programs.

I'll get Blacklite and run it right now...

I told Tashi this, but I just got cuaght up in school the last few weeks and forgot about any problems I had because it seemed to be working alright. Sorry, I'll get on this though. Just tell me what to do.

shayshay2k
2006-06-18, 04:27
06/17/06 20:22:17 [Info]: BlackLight Engine 1.0.37 initialized
06/17/06 20:22:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/17/06 20:22:17 [Note]: 7019 4
06/17/06 20:22:17 [Note]: 7005 0
06/17/06 20:22:23 [Note]: 7006 0
06/17/06 20:22:23 [Note]: 7011 220
06/17/06 20:22:24 [Note]: 7026 0
06/17/06 20:22:24 [Note]: 7026 0
06/17/06 20:22:32 [Note]: FSRAW library version 1.7.1015
06/17/06 20:25:07 [Note]: 7007 0


There's the log (I think) after running BlackLight. It said that there were no hidden processes or anything.

My problem right now is pop-ups every little bit telling me to get WinAntiVirus/Other Win*** products. Even when I'm not doing anything, they will pop-up. All my running processes I can see through Task Manager are ones I know and am familiar with, so if it's a process, I can't find it myself.

LonnyRJones
2006-06-18, 07:26
Try renaming hijackthis to something else and running it, such as test.exe
also if you havent restarted your pc for awhile do so and try again

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

shayshay2k
2006-06-18, 07:46
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 11:39:27 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\TEST.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5DF09093-B004-427D-9100-E446E44747A1} - C:\WINDOWS\system32\vturq.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120686901041
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vturq - C:\WINDOWS\system32\vturq.dll
O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe



Silent Runners Script Log
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelliType" = ""C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{5DF09093-B004-427D-9100-E446E44747A1}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vturq.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "ITPropertyPage Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Hardware\Keyboard\itcpl.dll" [MS]
"{2D140D0A-ED49-11D3-93DF-0010A4F52FF6}" = "BitZipperShellExt"
-> {HKLM...CLSID} = "BitZipperShellExt"
\InProcServer32\(Default) = "C:\Program Files\BitZipper\BZShlExt.dll" ["Bitberry Software"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}" = "Shell Context Menu Handler for Application References"
-> {HKLM...CLSID} = "Shell Context Menu Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}" = "Shell Context Menu Handler for Application Manifests"
-> {HKLM...CLSID} = "Shell Context Menu Handler for Application Manifests"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}" = "alongshore"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yhbdupd.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! vturq\DLLName = "C:\WINDOWS\system32\vturq.dll" [null data]
INFECTION WARNING! wintfj32\DLLName = "wintfj32.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
BitZipperShellExt\(Default) = "{2D140D0A-ED49-11D3-93DF-0010A4F52FF6}"
-> {HKLM...CLSID} = "BitZipperShellExt"
\InProcServer32\(Default) = "C:\Program Files\BitZipper\BZShlExt.dll" ["Bitberry Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitZipperShellExt\(Default) = "{2D140D0A-ED49-11D3-93DF-0010A4F52FF6}"
-> {HKLM...CLSID} = "BitZipperShellExt"
\InProcServer32\(Default) = "C:\Program Files\BitZipper\BZShlExt.dll" ["Bitberry Software"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator.SHAYMUS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVP Control Centre Service, AVPCC, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service" ["Kaspersky Labs."]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 197 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 275 seconds)

LonnyRJones
2006-06-18, 08:02
Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
C:\WINDOWS\system32\yhbdupd.dll
answer no to the prompt to reboot
Do the same for this file
C:\WINDOWS\system32\wintfj32.dll
and again answer no to the prompt to reboot

Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, Right click the list box then select add files and add
C:\WINDOWS\system32\vturq.dll
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

shayshay2k
2006-06-18, 08:20
VundoFix keeps not re-opening after I click the little "Run as a task" box. I've waited for five minutes and still nothing.

shayshay2k
2006-06-18, 09:32
Check that, I've waited for more than an hour now. Still hasn't re-opened. I need to go to bed, so I'll just leave my computer on all night so I don't have to restart it and possibly mess up what we're doing here.

Thanks for the help, I'll check back in here in the morning.

LonnyRJones
2006-06-18, 10:13
Hi
Try this
Go start programs > accessories > system tools > task Scheduled Tasks
right click on At1 and choose run.

shayshay2k
2006-06-18, 20:32
Ok, I go to Start >programs >accesories >System Tools >Scheduled Tasks. It's the only option in there involving tasks. I click it, and a window opens up called "Scheduled Tasks" and my only option is to "Add Scheduled Task." I went in there to look around, and I couldn't find At1, so I browsed for VundoFix.exe and told that to run when the next minute hit. It then gave me an error screen that says:

"The new task has been created, but may not run because the account information could not be set.The specific error is: 0x80041315: The task scheduler service is not running."

So, I click OK because I have to, the window closes, and the "Scheduled Tasks" folder window is open, this time with a "VundoFix" option right under the "Add Scheduled Task." So I right-click on that, click run, and I get another error message:

"Unable to start the service"

So, I don't know what to do. I'm running XP Professional, and I know that we are picky about what services we install, because some of them are annoying/unnecessary and are just there so Windows can try and contorl our computer for us. We might have taken it out of the installation. I'm going to look around online and see if I can get it anywhere, and then I'll check back here, and if you don't know what to do, I'll install it and go from your last step.

Thanks a lot man, I didn't know it was going to be this big a pain in the butt, haha, so thank you.

shayshay2k
2006-06-18, 22:17
OK, I managed to get my Scheduled Tasks up and running now, so I can do what you said. I looked up how to enable on the Windows website. I'll run VundoFix through it and see what happens...

OK, it's working now. I'll post again with the log in a minute.

shayshay2k
2006-06-18, 22:22
VundoFix Log
Attempting to delete C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\vturq.dll Has been deleted!

Performing Repairs to the registry.
Done!


HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 2:22:10 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\TEST.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B420E0F6-BB74-4E08-8AA5-ECC16B5398BC} - C:\WINDOWS\system32\vturq.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120686901041
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe


Alright, there they are. THe HT Log and the VundoFix log. What do I need next?

LonnyRJones
2006-06-19, 02:42
Good work

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {B420E0F6-BB74-4E08-8AA5-ECC16B5398BC} - C:\WINDOWS\system32\vturq.dll (file missing)
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
====================================
Hit fix checked and close Hijackthis.

Update suns java manualy
Sun Java V1.5.0_07 is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Go get the latest version of adobe reader

Post a report from one or both of these free online scan
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

Post back with one more hijackthis log , mention any problems.

shayshay2k
2006-06-19, 07:12
OK, results after upgrading JRE and Adobe, and then running both of the scans:

ActiveScan Log
Incident Status Location

Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/commad Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7943585a-2060316f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7943585a-2060316f.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7943585a-2060316f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7943585a-2060316f.zip[Beyond.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-2b1603d9.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-2b1603d9.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-2b1603d9.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-2b1603d9.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-4aaf42c0.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-4aaf42c0.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-4aaf42c0.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-4aaf42c0.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-78637b84.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-78637b84.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-78637b84.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-78637b84.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-39213768.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-39213768.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-39213768.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-39213768.zip[NewURLClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-58d6b294.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-58d6b294.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-58d6b294.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-58d6b294.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-31f30a1a.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-31f30a1a.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-31f30a1a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-31f30a1a.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-58613cb0.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-58613cb0.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-58613cb0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-58613cb0.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-2412db17.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-2412db17.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-2412db17.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-2412db17.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-19780c7c.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-19780c7c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-19780c7c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-19780c7c.zip[Parser.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@ad.yieldmanager[2].txt
Log continued on next post...

shayshay2k
2006-06-19, 07:13
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@adtech[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@adultfriendfinder[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@as-us.falkag[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@burstnet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@cgi-bin[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@go[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@hotlog[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@searchportal.information[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@www.burstbeacon[1].txt
Spyware:Cookie/SecurityError Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@www.systemuptodate[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator.SHAYMUS\Cookies\administrator@zedo[1].txt
End Of Log

Next scan on next post...

shayshay2k
2006-06-19, 07:20
ETrust Scan Results

11 viruses detected, only 2 could be deleted. The other 9 could not be deleted or cured.

Un-deletable files

java.jar-28679adb-2b1603d9.zip>GetAccess.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-28679adb-2b1603d9.zip>Installer.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-47723671-4aaf42c0.zip>GetAccess.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-47723671-4aaf42c0.zip>Installer.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-bae16f0-78637b84.zip>GetAccess.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-bae16f0-78637b84.zip>Installer.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-cb66fa7-39213768.zip>GetAccess.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

java.jar-cb66fa7-39213768.zip>Installer.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

xpl[1].wmf
C:\Documents and Settings\Administrator.SHAYMUS\Local Settings\Temporary Internet Files\Content.IE5\H3BCECPV\

End Of Results

Here are the files that it could delete:

Anima.class-385e4912-5f663c7b.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

Anima.class-6986d708-666a5ad2.class
C:\Documents and Settings\Administrator.SHAYMUS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

Ok, HT Log coming right up in the next post...

shayshay2k
2006-06-19, 07:23
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 11:22:17 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\TEST.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120686901041
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://E:\games\WebDriverFullInstall.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /Service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe


Alright, what do I need to do next? I haven't run into any problems since I ran the VundoFix thing, but then again, I haven't really used this computer since then. So nothing right now, but maybe at some point later, I'll keep this updated. I'm not getting any Win**** pop-ups anymore, thank god. Anything I can do to get rid of these infected files though?

LonnyRJones
2006-06-19, 07:27
Good, those are hamless (if java is updated)

Clear Sunjava"s cache
For the newer version's 1.5.xx > control panel > Java click "delete temps files".
Turn off it's auto-updater,(Its buggy) depending on the version you have, in control panel Sunjava plug-in > update tab uncheck its option to update automatically.

Clear the old system restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

shayshay2k
2006-06-19, 07:31
I've had System Restore off the whole time, I always have kept it off. Problem, or no? Should I just ignore your last step then?

LonnyRJones
2006-06-19, 07:39
I thought you might have had it off, why not turn it on ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

shayshay2k
2006-06-19, 09:32
From what I've heard, it tends to use a lot of processing power and memory. Plus, it isn't a necessity, so I just choose not to use it. Any specific reasons I really should use it?

LonnyRJones
2006-06-19, 10:10
If it were on and the pc was infected, If normal troubleshooting methods did not work using system restore probaly would have.

Surf safe

shayshay2k
2006-06-19, 10:38
I got the HOSTS file to help protect me, and there isn't one thing I download that doesn't get scanned by Kaspersky the second it is done downloading. I'm usually very very careful about this kind of stuff, I've been taught pretty well. I just got kind of careless with it lately. This is the first time I've eally had any trouble with this sort of stuff before.

Thanks again for all your help man. I appreciate it more than I can say. Really, I don't know what I would have done without you guys here. I know where I'm coming to if I run into any more problems in the future.

LonnyRJones
2006-06-25, 05:40
Im Glad we could help :bigthumb:
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let Me or Tashi know.