View Full Version : infected with much spyware, including smitfraud - toolbar thingy
spybot search and destroy recently came up with the smitfraud tool bar thing. i deleted it, but the effects are still there (i.e. random search pages occuring). i've carried out the prelimanary steps, and the online panda scan brought up another 65 or so detected spyware programs.
here is the hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 18:20:07, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bala\Desktop\Hijack This system scan\HijackThis.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\system32\verclsid.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=zuzeb004YYGB
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F1B5C31-0924-45A0-940E-FB99C3E83E37}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{99ED2977-0FDD-41B3-BE90-E239182F9B7B}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{B051C20B-0D3B-4D89-A612-63D32954DD95}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{C38392B3-AA90-45C4-A03A-8547B7837B25}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA2F920-61C0-431C-AC67-D7540BAAA6A7}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
and this is the panda online scan report:
Incident Status Location
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Adware:adware/statblaster Not disinfected Windows Registry
Spyware:spyware/new.net Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bala\Cookies\bala@247realmedia[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Bala\Cookies\bala@adopt.hbmediapro[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Bala\Cookies\bala@ads.addynamix[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Bala\Cookies\bala@adserver.filefront[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Bala\Cookies\bala@anm.co[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bala\Cookies\bala@as-eu.falkag[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bala\Cookies\bala@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bala\Cookies\bala@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bala\Cookies\bala@belnk[1].txt
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Bala\Cookies\bala@bilbo.counted[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Bala\Cookies\bala@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bala\Cookies\bala@burstnet[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Bala\Cookies\bala@c3.gostats[2].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Bala\Cookies\bala@centrport[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Bala\Cookies\bala@cgi-bin[10].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Bala\Cookies\bala@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Bala\Cookies\bala@cgi-bin[5].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Bala\Cookies\bala@citi.bridgetrack[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bala\Cookies\bala@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bala\Cookies\bala@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bala\Cookies\bala@drivecleaner[1].txt
Spyware:Cookie/Euniverseads Not disinfected C:\Documents and Settings\Bala\Cookies\bala@euniverseads[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Bala\Cookies\bala@gostats[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bala\Cookies\bala@hc2.humanclick[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Bala\Cookies\bala@hotlog[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Bala\Cookies\bala@i.screensavers[1].txt
Spyware:Cookie/Internetfuel Not disinfected C:\Documents and Settings\Bala\Cookies\bala@internetfuel[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Bala\Cookies\bala@kount[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Bala\Cookies\bala@landing.domainsponsor[2].txt
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Bala\Cookies\bala@metriweb[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bala\Cookies\bala@microsofteup.112.2o7[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Bala\Cookies\bala@offeroptimizer[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bala\Cookies\bala@overture[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Bala\Cookies\bala@paycounter[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bala\Cookies\bala@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Bala\Cookies\bala@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bala\Cookies\bala@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bala\Cookies\bala@realmedia[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Bala\Cookies\bala@rightmedia[1].txt
continued in next post....
panda online scan report continued...
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Bala\Cookies\bala@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Bala\Cookies\bala@server.iad.liveperson[2].txt
Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\Bala\Cookies\bala@smartadserver[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Bala\Cookies\bala@stat.onestat[1].txt
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Bala\Cookies\bala@stats1.clicktracks[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Bala\Cookies\bala@stats1.reliablestats[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bala\Cookies\bala@terra.com[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Bala\Cookies\bala@tickle[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Bala\Cookies\bala@tucows[1].txt
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Bala\Cookies\bala@versiontracker[1].txt
Spyware:Cookie/RealTracker Not disinfected C:\Documents and Settings\Bala\Cookies\bala@web2.realtracker[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Bala\Cookies\bala@webpower[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www.burstbeacon[1].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www.intelli-tracker[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www.myaffiliateprogram[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www.seeq[2].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www47.buydomains[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Bala\Cookies\bala@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Bala\Cookies\bala@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Bala\Cookies\bala@xmts[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Bala\Cookies\bala@yadro[1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Bala\Local Settings\Temporary Internet Files\Content.IE5\GH23SHMV\channels_02[1].gif
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jenny\Cookies\jenny@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jenny\Cookies\jenny@hitbox[2].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MSN Messenger\msimg32.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
i also got the scan report from the AniVir program. is it useful in anyway?
AntiVir PersonalEdition Classic
Report file date: 10 November 2006 18:19
Scanning for 552634 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Bala
Computer name: YOUR-N4QFF8ZLBS
Version information:
AVSCAN.EXE : 7.0.0.47 200744 9/13/2006 21:28:58
AVSCAN.DLL : 7.0.0.45 41000 9/13/2006 21:28:57
LUKE.DLL : 7.0.0.47 118824 9/13/2006 21:28:59
LUKERES.DLL : 7.0.0.47 9256 9/13/2006 21:28:59
ANTIVIR0.VDF : 6.35.0.1 7371264 5/31/2006 11:21:48
ANTIVIR1.VDF : 6.36.0.228 2062336 11/2/2006 12:45:51
ANTIVIR2.VDF : 6.36.0.244 92672 11/7/2006 07:19:33
ANTIVIR3.VDF : 6.36.1.15 63488 11/10/2006 18:15:06
AVEWIN32.DLL : 7.2.0.39 1909248 11/9/2006 18:08:29
AVPREF.DLL : 7.0.0.2 23592 9/13/2006 21:28:57
AVREP.DLL : 6.36.1.1 925736 11/9/2006 18:08:29
AVRPBASE.DLL : 7.0.0.0 2162728 3/30/2006 09:43:31
AVPACK32.DLL : 7.2.0.5 368680 10/26/2006 21:59:31
AVREG.DLL : 6.31.0.90 27688 7/28/2005 11:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 08:56:49
NETNW.DLL : 7.0.0.0 9768 9/13/2006 21:28:59
RCIMAGE.DLL : 7.0.0.74 1642536 9/13/2006 21:28:48
RCTEXT.DLL : 7.0.1.4 77864 9/27/2006 21:56:07
Configuration settings for the scan:
Jobname.......................: Manual Selection
Configuration file............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0
Start of the scan: 10 November 2006 18:19
The scan of running processes will be started
47 Processes were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( 29 files ).
Starting the file scan:
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EF8AAB7A-A86E-4162-84EB-D276399B884E}
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\Local Settings\Temp\~DF6858.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\Bala\Local Settings\Temp\~DF6897.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\Dc216.7z
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.AY
[INFO] The file was moved to '4586e663.qua'!
C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\Dc223.7z
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.AY
[INFO] The file was moved to '4586e683.qua'!
C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\Dc245.7z
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.AY
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16004
[WARNING] The source file could not be found.
C:\System Volume Information\MountPointManagerRemoteDatabase
[WARNING] The file could not be opened!
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll
[WARNING] The file could not be opened!
C:\WINDOWS\SoftwareDistribution\EventCache\{48D9EE23-3960-47E5-9FE3-7656CA6C61A2}.bin
[WARNING] The file could not be opened!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains signature of the Windows virus W95/Blumblebee.1738
[WARNING] The file was ignored!
C:\WINDOWS\system32\CatRoot2\edb.log
[WARNING] The file could not be opened!
C:\WINDOWS\system32\CatRoot2\tmp.edb
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\ZLT062b0.TMP
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\ZLT062b7.TMP
[WARNING] The file could not be opened!
End of the scan: 10 November 2006 22:54
Used time: 4:35:02 min
The scan has been done completely.
7420 Scanning directories
444764 Files were scanned
4 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
10296 Archives were scanned
36 Warnings
21 Notes
many many thanks to anyone of the forum team who helps me out. :bigthumb:
sorry, one more thing. this is the scan report from spybot search and destroy at the same time i did the other scans. hope it is useful.
--- Search result list ---
MyWay.MyWebSearch: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
MyWay.MyWebSearch: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
MyWay.MyWebSearch: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
NewDotNet: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-03 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-03 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-03 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-03 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-03 Includes\PUPSC.sbi (*)
2006-11-03 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-03 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-03 Includes\Trojans.sbi (*)
2006-11-03 Includes\TrojansC.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
--- Startup entries list ---
Located: HK_LM:Run, ATIPTA
command: C:\ATI-CPanel\atiptaxx.exe
file: C:\ATI-CPanel\atiptaxx.exe
size: 339968
MD5: c15310c2d1a59499be2d72022b3d3d6e
Located: HK_LM:Run, avgnt
command: "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
file: C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
size: 241704
MD5: 88ef9d47d1fb477456efbb140fd19e02
Located: HK_LM:Run, Lexmark X1100 Series
command: "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
file: C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
size: 57344
MD5: 8e7939d19e49d071110d780bf1edec21
Located: HK_LM:Run, My Web Search Bar
command: rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
file:
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, Picasa Media Detector
command: C:\Program Files\Picasa2\PicasaMediaDetector.exe
file: C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 249927
MD5: eeea51766495025137f884d25791ba76
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 66048
MD5: eef38b2781c93b30a5457318d5679253
Located: HK_LM:Run, SpeedTouch USB Diagnostics
command: "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
file: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
size: 866816
MD5: d40191aa225638ab20e59524cdd74030
Located: HK_LM:Run, Start RF Wireless Mouse
command: C:\Program Files\RF Wireless Mouse\cm20.exe
file: C:\Program Files\RF Wireless Mouse\cm20.exe
size: 61440
MD5: e540ad4e85c1efa9a3c361a5dacd67e8
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
size: 49263
MD5: 409c45da1cfbc3fc19eec7cbfe9b2786
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 1ac2c58b587c70de64582ad41ee79fba
Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77c03bf23ae56b0a31ae4d5bb4b3d0ac
Located: HK_LM:Run, Wizard
command:
file:
Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 968696
MD5: 71514e2c74d554f5902dc184046eca3b
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: HK_CU:Run, Steam
command: "c:\program files\steam\steam.exe" -silent
file: c:\program files\steam\steam.exe
size: 1249280
MD5: cde5895db998d361a2d95647d1da4bbf
Located: HK_CU:Run, updateMgr
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 313472
MD5: 43f3f6d33c793089a7c32b45da16094b
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0
Located: Startup (common), Google Updater.lnk
command: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
file: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
size: 113080
MD5: 42459862635a7e6f7d8b1d74c0e565b3
Located: Startup (user), OpenOffice.org 2.0.lnk
command: C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
file: C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
size: 61440
MD5: 7ad01eef5a7689da15d8597bf5790884
Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{00A6FAF1-072E-44cf-8957-5838F569A31D} ()
BHO name:
CLSID name:
description: MyWebSearch
classification: Confirmed as malware
known filename: MWSSRCAS.DLL
info link: http://www.doxdesk.com/parasite/MySearch.html
info source:
{07B18EA1-A523-4961-B6BB-170DE4475CCA} ()
BHO name:
CLSID name:
description: MyWebSearch
classification: Confirmed as malware
known filename: Mwsbar.dll
info link: http://www.doxdesk.com/parasite/MySearch.html
info source:
{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} ()
BHO name:
CLSID name:
description: New.net
classification: Confirmed as malware
known filename: newdotnet*_**.dll
info link: http://www.doxdesk.com/parasite/NewDotNet.html
info source: TonyKlein
{A5366673-E8CA-11D3-9CD9-0090271D075B} (IeCatch2 Class)
BHO name:
CLSID name: IeCatch2 Class
description: FlashGet
classification: Open for discussion
known filename: Jccatch.dll
info link: http://www.amazesoft.com/
info source: TonyKlein
Path: C:\PROGRA~1\FlashGet\
Long name: Jccatch.dll
Short name:
Date (created): 29/05/2005 14:05:06
Date (last access): 10/11/2006 18:15:38
Date (last write): 16/01/2002 18:12:18
Filesize: 65536
Attributes:
MD5: F2FAFE3CB6412C89F43D88CCEBE308F3
CRC32: B1AEC78B
Version: 1.1.4.0
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~2.DLL
Date (created): 25/03/2005 00:28:50
Date (last access): 10/11/2006 18:15:18
Date (last write): 10/11/2006 02:17:30
Filesize: 2120768
Attributes: readonly archive
MD5: B4185508B1C66A1579A76DFA6D160DAF
CRC32: EBECDDC0
Version: 4.0.1020.3054
--- ActiveX list ---
RaptisoftGameLoader (RaptisoftGameLoader)
DPF name: RaptisoftGameLoader
CLSID name:
Installer:
Codebase: http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} ()
DPF name:
CLSID name:
Installer:
Codebase:
description: FunWebProducts
classification: Confirmed as malware
known filename:
info link:
info source: Patrick M. Kolla
{233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 12/02/2005 22:01:12
Date (last access): 10/11/2006 15:26:32
Date (last write): 03/09/2006 22:10:30
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20
continued in next post...
ah, sorry, the spybot report is much too long. i'll wait till you reply.
i managed to save the spybot scan result for the smitfraud toolbar before i deleted it. here it is:
Smitfraud-C.Toolbar888: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4060819339-1799449563-1670966297-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}
thanks again to anyone who helps!!
LonnyRJones
2006-11-14, 01:09
Hi
In the windows control panel addremove programs uninstall any
FunWeb and MyWebSearch programs
Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=zuzeb004YYGB
O17 - HKLM\System\CCS\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F1B5C31-0924-45A0-940E-FB99C3E83E37}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{99ED2977-0FDD-41B3-BE90-E239182F9B7B}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{B051C20B-0D3B-4D89-A612-63D32954DD95}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{C38392B3-AA90-45C4-A03A-8547B7837B25}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA2F920-61C0-431C-AC67-D7540BAAA6A7}: NameServer = 85.255.116.155,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.155 85.255.112.26
====================================
Hit fix checked and close Hijackthis.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Note:
If You have connection problems or those paticular 017's ~ 85.255.116.155 85.255.112.26, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Do that for every conntection listed.
hi lonnyrjones. just to keep posted, i'm afraid internet exporer and my computer in general is now seriously being affected by the spyware. everythings slowing down, and internet explorer as well as firefox aren't working at all. there fore i have to save your intructions, as well as the cleaning programs i have to download, all to my memory stick at a computer at universoty. then take it home and upload everything. so i'm afraid my next post will be tomorrowor the day after. just so you know.....
thanks very much for replying and helping me out. be back soon. :bigthumb:
hi lonnyrjones. my mistake. internet explorer is working again....for now. i don't know why it wasn't yesterday, i assumed it was because of the spyware stuff, cos nothing like that has happened before i think. Anyway, the report.txt file for fixwareout didn't open, and the computer couldn't find it anywhere in search. but here is the hijack this log, i hope it shows good news. many thanks for the help so far:
Logfile of HijackThis v1.99.1
Scan saved at 18:12:08, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Thomson\SpeedTouch USB\stdialup.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Bala\Desktop\Hijack This system scan\HijackThis.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-11-15, 19:29
Perhaps windows defender is getting in the way
Disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.
Open Windows Defender.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable real-time spyware threat protection (recommended).
click on the Save button and close Microsoft AntiSpyware.
Right click on the Windows Defender icon on the taskbar and select Shutdown Windows Defender.
Run fixwareout again and post its report after the pc has restarted.
Also Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
hi lonnyrjones. the black light program came up with one hidden file. so i'm going to post the report, plus the fixwareout report aswell, which did appear this time :bigthumb: .
here is the fixwareout report:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
and this is the black light report:
11/15/06 21:05:35 [Info]: BlackLight Engine 1.0.47 initialized
11/15/06 21:05:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/15/06 21:05:35 [Note]: 7019 4
11/15/06 21:05:35 [Note]: 7005 0
11/15/06 21:05:47 [Note]: 7006 0
11/15/06 21:05:47 [Note]: 7011 2632
11/15/06 21:05:47 [Note]: 7026 0
11/15/06 21:05:47 [Note]: 7026 0
11/15/06 21:05:57 [Note]: FSRAW library version 1.7.1020
11/15/06 21:22:53 [Info]: Hidden file: c:\WINDOWS\system32\kduxo.exe
11/15/06 21:22:53 [Note]: 7002 32
11/15/06 21:22:53 [Note]: 7003 1
11/15/06 21:22:53 [Note]: 10002 1
11/15/06 21:25:43 [Note]: 2000 1012
11/15/06 21:25:43 [Note]: 2000 1012
11/15/06 21:25:43 [Note]: 2000 1012
11/15/06 21:25:43 [Note]: 2000 1012
11/15/06 21:25:43 [Note]: 2000 1012
11/15/06 21:27:19 [Note]: 7007 0
sorry, just one more thing. all the scans that i've done so far, the antvir, fixwareout, hijackthis, and blacklight. would they be more effective if done in safe mode? and would the same go for windows defender, and adaware_se personal and spybot? i've got all of them.
many thanks
LonnyRJones
2006-11-16, 00:03
Run Backlite again scan and have it take care of that file, Fallow the prompts
after the reboot run it again to double check if that file is gone.
Did any files show in that second scan ?
Safe mode is not nessesary now but in the future if for example Ad-Aware has trouble with a nastie then yes try it in safe mode. NOT safe mode with networking.
hi lonnyrjones, i'm afraid i have some bad news (maybe), i ran the blacklight scan again, but it didn't detect anything, i did it again and the same. however, between receiving your intructions to run it and get rid of the file and actually running, i scanned the system with asadaware, which detected three malicous files, that i deleted. could the file that blacklight detected been one of those?
i'll post the reports from both runs of blacklight, and another hijackthis log, just in case. once again, thanks for the help :D: .
1st blacklight report:
11/16/06 00:19:19 [Info]: BlackLight Engine 1.0.47 initialized
11/16/06 00:19:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/16/06 00:19:19 [Note]: 7019 4
11/16/06 00:19:19 [Note]: 7005 0
11/16/06 00:19:22 [Note]: 7006 0
11/16/06 00:19:22 [Note]: 7011 1320
11/16/06 00:19:23 [Note]: 7026 0
11/16/06 00:19:23 [Note]: 7026 0
11/16/06 00:19:33 [Note]: FSRAW library version 1.7.1020
11/16/06 00:48:35 [Note]: 2000 1012
11/16/06 00:48:35 [Note]: 2000 1012
11/16/06 00:48:35 [Note]: 2000 1012
11/16/06 00:48:35 [Note]: 2000 1012
11/16/06 00:48:35 [Note]: 2000 1012
11/16/06 00:49:00 [Note]: 7007 0
2nd blacklight report:
11/16/06 16:15:30 [Info]: BlackLight Engine 1.0.47 initialized
11/16/06 16:15:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/16/06 16:15:33 [Note]: 7019 4
11/16/06 16:15:33 [Note]: 7005 0
11/16/06 16:15:36 [Note]: 7006 0
11/16/06 16:15:36 [Note]: 7011 1320
11/16/06 16:15:36 [Note]: 7026 0
11/16/06 16:15:37 [Note]: 7026 0
11/16/06 16:16:02 [Note]: FSRAW library version 1.7.1020
11/16/06 17:21:10 [Note]: 2000 1012
11/16/06 17:21:10 [Note]: 2000 1012
11/16/06 17:21:10 [Note]: 2000 1012
11/16/06 17:21:10 [Note]: 2000 1012
11/16/06 17:21:10 [Note]: 2000 1012
11/16/06 17:29:49 [Note]: 7007 0
fresh hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 17:56:33, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bala\Desktop\Hijack This system scan\HijackThis.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-11-16, 19:19
Well hopefully ad-aware got it.
Check again in a few days by scanning with Blacklite
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
Optional fix
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
====================================
Hit fix checked and close Hijackthis.
In addremove programs uninstall any my web search programs
since you use antivir uninstall panda
Hows your pc running ? any problems ?
hi lonnyrjones, i fixed what files there were with hijackthis. although i officially unstalled the panda software a long time ago, there's many files still around. also, theres a PavPrSrv.exe process running, which also comes up when i try to delete one of the panda software folders. it says "cannot delete, make sure whether program is in use or not". well not that exactly, but you know what i mean. so i'm wondering whether to terminate that process with windows task manager or processexplorer.exe, then deleting that panda software folder. what do you suggest?
apart from that, i think my comp is running fine. it's bit slow sometimes, but i think thats due to the daily scans of antivir and windows defender :rolleyes: . the random search pages occuring with google and other engines has stopped, so that's good. that was the only noticable problem (i think) when all this started. if you don't mind, i would like some feedback from you about how serious the infection of my computer was. i'd be very grateful.
thanks again for you time and help :2thumb:
one more question:D: , although spybot always picked up lots of "myweb" files that were spyware or adware or whatever, there was never any "mywebs" program, or that other program you recommended to remove via add/remove prgrams, in the acutal add/remove programs list. what do you think was up with that?
thanks.
LonnyRJones
2006-11-16, 20:41
myweb was evidently a leftover, Nothing to worry about.
It even comes installed on some oem pc's.
I see renmants of norton to, I assume you have uninstalled symantect/norton ?
This will remove it and that panda leftover
Open a command prompt (start run type cmd press enter) type
sc delete "PavPrSrv"
press enter, type in
sc delete "Automatic LiveUpdate Scheduler"
press enter, type exit and press enter to exit the command prompt
I would still run the cleanup tools for norton here
Symantec Removal: http://basconotw.mvps.org/SymRem.htm
"feedback from you about how serious the infection of my computer was."
Not serious in my opinion
although not complete here is a couple vendors descriptions
Symantec Security Response - Trojan.Flush.F: http://securityresponse.symantec.com/avcenter/venc/data/pf/trojan.flush.f.html
TR-Dldr.Agent.tc.4 - Full description: http://www.avira.com/en/threats/section/fulldetails/id_vir/1423/tr_dldr.agent.tc.4.html
hey lonnyrjones. thanks for the links, although i knew it was not serious, those file desriptions showed how really minor it was (comparitively). i'm lucky it wasn't anything worse. so i guess that's it. i used the command prompt to delete those two files, but the error message still comes up saying the PavPrSrv.exe cannot be deleted. i guess it's not really a problem. i'll be running the symantec removal tool soon, i'm just performing an se adaware scan, which i would have to close otherwise.
thanks very much again. the best of luck to you and your team. :cool:
LonnyRJones
2006-11-16, 21:28
In that case i suggest temporaraly installing Panda , reboot when prompted then uninstalling should delete that for you.
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
well that's cleared up. fortunately, the norton antivirus removal tool apparently removed that panda file, so i was able to delete that folder:bigthumb: . i added a new hosts file, and i've already gone through that "how did i get infected" thread, which was very insightful. thanks to the person who wrote that. i've got the antivir, zone alarm firewall, windows defender, spybot, spywareguard, spywareblaster and se adaware to protect my system. i guess i can re-engane spybot teatimer and windows defender real time protection now right? if you think that's it, then good. i'll remember to perform regular scans with everything, plus that blacklight thing. so, is that it then? :scratch:
LonnyRJones
2006-11-16, 22:21
To aviod conflicts You should only enable one antispyware's resident protection. (with the exception of spywareblaster)
Surf safe
cool. i've decided to enable spybot's teamtimer, since the program in general seemed more reliable than windows defender. thanks for all your help.
--------------------------------------------------------------------------
The war against malware; we shall WIN!!
peace man :cool:
ahem....i'm afraid there's a problem. i just ran a spybot scan, and it's still picking up myweb search and newdotnet registry key entries. what does that mean? i use flashget, and i read on a thread somewhere on this forum that flashget comes bundled with adware such as cydoor. could this be the problem, or is just that things got missed by the cleaning programs? thanks for you continued help.:red:
LonnyRJones
2006-11-17, 18:19
Last i checked SpyBot removes the bannerware flashget uses and flashget continues working.
The others you mention are probaly just leftovers, Post a SpyBot results report.
Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results
(not full report) to clipboard and past that back here please.
thanks for replying. i did notice that flashget didn't pop up adverts anymore, but that stopped quite a while ago....before i got spybot. perhaps some other cleaning program stopped it. well, heres the spybot scan report after fixing:
MyWay.MyWebSearch: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
MyWay.MyWebSearch: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
MyWay.MyWebSearch: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
NewDotNet: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-10 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-10 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-10 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-10 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-10 Includes\PUPSC.sbi (*)
2006-11-10 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-10 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-10 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-03 Includes\Trojans.sbi (*)
2006-11-10 Includes\TrojansC.sbi (*)
the thing is, i scanned with spybot twice (this was the second time), and fixed the same problems the first time, but they came back the second time. just to let you know.
LonnyRJones
2006-11-17, 18:47
Ok, post a new hijackthis log.
ok, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 17:54:00, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Bala\Desktop\Hijack This system scan\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{037F10E7-455F-4392-AD7B-6AF2A92B5E8F}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-11-17, 19:08
Restart your PC and use it a few hours then post another new hijackthis log.
Dont run SpyBot in the meantime please.
ok, i'll do that. thanks for you help! be back in a few hours :bigthumb: .
hi lonnyrjones. sorry i took longer than a few hours, but here is a new hijackthis log. thanks:):
Logfile of HijackThis v1.99.1
Scan saved at 22:17:53, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bala\Desktop\Hijack This system scan\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-11-18, 03:02
Turn off Tea Timer (right-click its icon in the tray area near the windows clock and choose exit)
If it is not in the tray area open SpyBot > mode > Advanced > tools >
resident page and uncheck Tea Timer
Now Close SpyBot if open.
While both Tea timer and SpyBot are closed
Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
====================================
Hit fix checked and close Hijackthis.
Turn Tea timer back on again via SpyBots tools resident page.
hi lonnyrjones. i turned off teatimer, downloaded, ran, and then deleted the reset program. fixed all items that were there in hijackthis. now teatimer's up and running again.
so was the problem just some leftovers that needed sweeping up then?
many thanks!
LonnyRJones
2006-11-18, 13:33
Harmless Leftovers Tea timer was inadvertantly putting back.
Until the new version of Tea timer comes out (soon) when you see an alert don't use its remember decision option.
righto, that's that, once again then. thanks again for everything :angel: . will people be able to get the newer version of tea timer from here, or will spybot detect on the net as an update?
:D: :bigthumb:
LonnyRJones
2006-11-18, 13:43
I'm not positive, It would be a good idea to keep an eye on our announcements section.
Surf safe
thanks. you too man.
Peace! :cool: