Virus, popups, cws

Also, please Open Ewido. Press the *Update* button

Press *start update*. If any new updates are found wait while it downloads and installs them. Go back to the scanner and choose *full system scan*

Save the log at the end and post the results back here, please.
 
One more thing, I want to check for hidden files. Run these two free tools to produce a log from each please.

Download Blacklight (free trial) from F-Secure
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet


Next.
Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle while scanning)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
 
From blbeta.exe: the text file was named fsbl-20060530203651.log

05/30/06 22:36:51 [Info]: BlackLight Engine 1.0.37 initialized
05/30/06 22:36:51 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack. 1)
05/30/06 22:36:51 [Note]: 7019 4
05/30/06 22:36:51 [Note]: 7005 0
05/30/06 22:37:18 [Note]: 7006 0
05/30/06 22:37:18 [Note]: 7011 1152
05/30/06 22:37:18 [Note]: 7026 0
05/30/06 22:37:18 [Note]: 7026 0
05/30/06 22:37:26 [Note]: FSRAW library version 1.7.1015
05/30/06 22:38:59 [Note]: 7007 0

From Rootkit...

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s1 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s2 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\g0 2005-11-26 12:18 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\h0 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 2005-11-26 14:28 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\av_dtm02.gif.lnk 2006-05-04 23:23 549 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Recent\bez*tytu 2006-05-04 23:23 555 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Recent\Dysk lokalny (C).lnk 2006-05-31 20:23 293 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\Export.txt.lnk 2006-05-31 20:23 403 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\rapport1.txt.lnk 2006-05-31 20:23 415 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\Scan report_20060523.txt.txt.lnk 2006-05-23 22:50 582 bytes Visible in Windows API, but not in MFT or directory index.
C:\Export.txt 2006-05-25 17:04 106 bytes Visible in Windows API, but not in MFT or directory index.
C:\rapport.txt 2006-05-23 17:24 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\rapport1.txt 2006-05-23 17:25 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc1.txt 2006-05-31 20:23 469 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc2.txt 2006-05-31 20:23 106 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc3.txt 2006-05-31 20:23 469 bytes Hidden from Windows API.


And form hijackthis...


Logfile of HijackThis v1.99.1
Scan saved at 20:32:25, on 2006-05-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 
Were you able to successfully complete the steps in this post linked below?:
http://forums.spybot.info/showpost.php?p=27128&postcount=19

If not, please do that now. And then come back and follow these next steps following.
..........................................
Next step:
Make a new folder on your Hard-drive and name it BFU like so:
c:\BFU

Next, Please download Brute Force Uninstaller.

Unzip/decompress and save the contents it to it’s own folder that you made above: c:\BFU

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.

click "save"

IN "filename" enter log.txt

click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...
............................................
Next, please open Killbox. click on *File* tab at the top and choose *Logs* from the drop down menu. Then choose *Actions History Log*. A notepad text file will popup. Please copy all of that text and post it back here with the log.txt from BFU in your next reply.
 
cket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ czwartek, maj 25, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1


I Rebooted @ 4:58:08 PM
Killbox Closed(Exit) @ 4:58:09 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:27 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


# 2 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll


# 3 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll


# 4 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll


I Rebooted @ 1:28:49 PM
Killbox Closed(Exit) @ 1:28:50 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


I Rebooted @ 1:33:12 PM
Killbox Closed(Exit) @ 1:33:14 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ wtorek, maj 30, 2006, 10:32 PM

# 1 [Replace on Delete]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
*Replaced with C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\kbdummy.0

I Rebooted @ 10:33:48 PM
Killbox Closed(Exit) @ 10:33:49 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:42 PM

Killbox Closed(Exit) @ 10:42:56 PM
__________________________________________________
 
and heres the log from BFU

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:45 PM


BFU v1.00.9
Windows XP Dodatek SP. 1 (WinNT 5.01.2600 Dodatek SP. 1)
Script started at 22:41:41, on 2006-05-31

Script completed.
 
Ok, not sure if that worked or not...might be a language problem with the tools I am using being in English and your PC in Polish (i think?). I'll ask some of the others to take here to see what they think.

Could you please reboot the PC and scan with HijackThis and post a fresh please?
 
Ok, here is the og from hijakcthis:

Logfile of HijackThis v1.99.1
Scan saved at 16:22:35, on 2006-06-01
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 
ichigo333,

One of our researchers thinks there may be a super hidden file that accompanies this infection. So let's do this on his advice (Thanks, LonnyRJones!)

Open Killbox.

Choose *Delete on Reboot*

DeleteOnReboot.gif


Copy and paste the following line into the white box that says "Full path of file to delete"

C:\WINDOWS\sysvx_.exe

Press the red button with the white X on it
RedButtonWhiteX.gif


Allow Killbox to reboot your computer.

After reboot, Scan with HijackThis and checkmark these two entries then press the *fix checked* button

O4 - HKLM\..\Run: [rpcc] rpcc.exe

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Delete these files (if found)

C:\WINDOWS\System32\rpcc.exe

C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Now please reboot your computer once more.

After reboot scan again with HijackThis to create a log and post the fresh log back here please.

I'd also like to see the Killbox log again. Open Killbox, and click on *File* tab at the top and choose *Logs* from the drop down menu. Then choose *Actions History Log*. A notepad text file will popup. Please copy all of that text and post it back here, along with the new Hijackthis log.
 
Logs from Hijack...

Logfile of HijackThis v1.99.1
Scan saved at 17:04:29, on 2006-06-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6394C0F1-9179-4B53-9D2F-0509BFF02A70}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



and from Kilbox!\

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ czwartek, maj 25, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1


I Rebooted @ 4:58:08 PM
Killbox Closed(Exit) @ 4:58:09 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:27 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


# 2 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll


# 3 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll


# 4 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll


I Rebooted @ 1:28:49 PM
Killbox Closed(Exit) @ 1:28:50 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


I Rebooted @ 1:33:12 PM
Killbox Closed(Exit) @ 1:33:14 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ wtorek, maj 30, 2006, 10:32 PM

# 1 [Replace on Delete]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
*Replaced with C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\kbdummy.0

I Rebooted @ 10:33:48 PM
Killbox Closed(Exit) @ 10:33:49 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:42 PM

Killbox Closed(Exit) @ 10:42:56 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:45 PM

Killbox Closed(Exit) @ 10:47:46 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


Killbox Closed(Exit) @ 4:57:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 4:58 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:58:35 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:59:17 PM
Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 5:05 PM
 
Very good! I think that finally got it :bigthumb:

How is your PC running now? Does everything look ok on your end?
 
Thank You !
Thank You!
Thank You!

I'd like to say Thank You :D
You've done more than you think... i guess it should work properly now... however, it works much much better...and the net.... it doesnt disconnect anytime it wants ;)
You deserve for a big hug or anything you want :]
Cheers :)

Thakns again :]
 
Bless your heart, ichigo333 :heart:

I'm so glad to hear that everything is working ok again. We're glad we could help :)

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

"So, how did I get infected in the first place?" (by Tony Klein)
http://forums.spybot.info/showthread.php?t=279

You need to get Service Pack 2 for XP and all critical Windows Securtiy Updates as it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp
 
Yeah, the PC is working now just perfect...im telling you.
Really... week ago the net connection was so slow...and it kept disconeccting billion times a day :sick:
And now...
God bless You Guys and all the things you have done :heart:
Ive just updated the WXP so i hope it wont get that bad as it was :blush:

Thanks:]
 
You must log in or register to reply here.
Back
Top