Please help me remove my bestfriend.scr

DeAd14EteRNiTyDeAd14EteRNiTy
edited July 2005 in Spyware & Virus Removal
Hi I've recently been infected with this virus. It posts the link to the virus on my away message along with other of the known symptoms. I have ran the Spybot Search and Destroy and Adaware. When I read the directions on how to remove the virus, I didn't find the file that was infected. Here is my log file.

Logfile of HijackThis v1.99.1
Scan saved at 6:14:02 PM, on 7/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
C:\WINDOWS\System32\GOOGLEMAPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\REGEDIT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Start Menu\Programs\Skype\Phone\Skype.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/mavericks/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemClockManager] C:\WINDOWS\\\\\\\\\\\\\\\\\\\
O4 - HKLM\..\Run: [Google Earth Viewer] GOOGLEMAPS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Google Earth Viewer] GOOGLEMAPS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121041993043
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121042348965
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thank you so much.

Comments

  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    You are running HJT from a temp folder. Please move this to your C: directory.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    I had reason to believe that the virus was called by the googlemaps.exe file and I have removed it. I used taskill and terminated googlemaps.exe, and after that the symptoms of the virus stopped. I did a search and found the hidden file and upon deleting it I haven't had any known symptoms anymore. I did not wait until I got a response because I was unable to access the forum for some reason earlier today. If I had done something wrong but deleting that, please reply and tell me. Thanks to everybody for their time.
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    That file wasn't necessary either way for your system to run properly. If you are stiil having problems let me know.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    The symptoms of the AIM virus are gone, but since the virus had infected my computer, everything is refreshing a lot slower. For example, when I scroll down on a browser window, it takes seconds to display every inch of the window I scroll down. It feels like my computer is lagging now, but now I'm not sure if this was caused by the virus. Here is my hijacklog just in case. Thank you.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:54:20 AM, on 7/25/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\Temporary Directory

    10 for hijackthis_199.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.nba.com/mavericks/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

    Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program

    Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up

    Lite\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

    Files\AIM\aim.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121041

    993043
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11210

    42348965
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

    C:\WINDOWS\System32\nvsvc32.exe
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Make sure all hidden files and folders are viewable.

    Run activescan and save the scan results. Copy and paste the results of that scan along with a new HJT log when it is complete.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    Thank you for another reply. I have unhid the files and did the two scans again. Activescan log:


    Incident Status Location

    Adware:adware/kingporn No disinfected C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\ExtractDLL.dll
    Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\SSK3_B5 Seedcorn 4.exe
    Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\wrapperouter.exe
    Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
    Adware:adware/delfinmedia No disinfected C:\keys.ini
    Adware:adware/e2give No disinfected C:\PROGRAM FILES\E2G
    Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
    Adware:adware/downloadware No disinfected C:\PROGRAM FILES\MedCh
    Adware:adware/mydailyhoroscopeNo disinfected C:\PROGRAM FILES\My Daily Horoscope
    Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
    Adware:adware/keenvalue No disinfected C:\PROGRAM FILES\COMMON FILES\updater
    Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    Adware:adware/elitebar No disinfected C:\WINDOWS\EliteToolBar
    Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
    Virus:W32/Sdbot.EFG.worm Disinfected C:\a.bat
    Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\asfjkk32.tmp
    Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\ExtractDLL.dll
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\i87.tmp
    Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\pcs_0029.exe
    Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\ptf_0029.exe
    Virus:W32/Gaobot.batch Disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\r.bat
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe
    Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\thin_installer2.exe
    Virus:W32/Spybot.QP.worm Disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\utwmqr.exe
    Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\wrapperouter.exe
    Adware:Adware/PurityScan No disinfected C:\install_george.exe
    Adware:Adware/E2Give No disinfected C:\Program Files\E2G\IeBHOs.dll
    HJT: Logfile of HijackThis v1.99.1
    Scan saved at 6:15:41 PM, on 7/25/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Start Menu\Programs\Skype\Phone\Skype.exe
    C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\Temporary Directory 11 for hijackthis_199.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/mavericks/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121041993043
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121042348965
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Thank you.
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Open start menu and navigate to the add/remove programs list. Uninstall these programs if they are listed:

    EliteToolBar
    SurfSideKick


    Delete these files or directories if they exist:
    C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\ExtractDLL.dll
    C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\SSK3_B5 Seedcorn 4.exe
    C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\wrapperouter.exe
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
    C:\keys.ini
    C:\PROGRAM FILES\E2G
    C:\PROGRAM FILES\Lycos
    C:\PROGRAM FILES\MedCh
    C:\PROGRAM FILES\My Daily Horoscope
    C:\PROGRAM FILES\MyWay
    C:\PROGRAM FILES\COMMON FILES\updater
    C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    C:\WINDOWS\EliteToolBar


    Empty your temp folder and then your recycle bin.

    Run activescan again and let me know the results.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    I did all the steps except I don't understand what you mean by
    Adware:adware/mydailyhoroscopeNo disinfected
    And empty temp folder. Do you mean for me to delete the
    C:\DOCUMENTS AND SETTINGS\KEVIN LAO.KEKUKEDO-M91OWP\LOCAL SETTINGS\TEMP\ directory?
    If not what is the temp folder?

    I will run activescan after you reply.
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Delete the mydailyhoroscope folder which is located in your C:\Documents and settings folder.

    Download cleanup 4.0. This will clean your temp files.

    http://www.stevengould.org/software/cleanup/

    Save the setup file to your desktop. Run the setup file and then move the pre-created shortcut from the folder to your desktop. Open cleanup and click cleanup.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    The mydailyhoroscope file was not found in the documents and settings folder, and it was not found when i did a search. I cleared my temp files and ran activescan. The scrolling seems slightly faster now, even though it still lags. Here is the activescan log.


    Incident Status Location

    Adware:adware/delfinmedia No disinfected C:\keys.ini
    Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
    Virus:W32/Oscarbot.BS.worm Disinfected C:\Injikdj.exe
    Adware:Adware/PurityScan No disinfected C:\install_george.exe
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Download the trial version of ewido security suite.

    http://www.ewido.net/en/download/

    Set ewido up and it will automatically prompt you to update it. Run ewido after updates are complete.

    Open start menu>click run>Enter "regedit">double click HKEY_LOCAL_MACHINE folder>double click SOFTWARE folder>double click the CLASSES folder> search for MAGNET and delete the entry.

    Delete these files if they exist:

    C:\keys.ini
    C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    C:\Injikdj.exe
    C:\install_george.exe

    Post a new log.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    No files existed in the directories you mentioned. I ran the ewido and got rid of magnet. Here's my log again.


    Incident Status Location

    Adware:adware/delfinmedia No disinfected C:\keys.ini
    Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    I can't find these files on my C: for some reason, and i looked in hidden files.
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Open start menu>click run>(type) msconfig>click ok>click system.INI>on the left hand side of the box click find>(type)keys.INI>if no match found then go to win.ini tab and do the same process. If found try to remove the file. Let me know.

    C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs should be located in your syste32 folder. May be a folder/directory since there is no file extension attached to it.

    Post a new Hijack This log when finished.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    There were no matches of keys.INI in both the system.INI and win.INI. I found cache and deleted it.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:23:09 PM, on 7/27/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Start

    Menu\Programs\Skype\Phone\Skype.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Kevin Lao.KEKUKEDO-M91OWP\Local Settings\Temp\Temporary Directory

    1 for hijackthis_199.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.nba.com/mavericks/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

    Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program

    Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up

    Lite\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

    Files\AIM\aim.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121041

    993043
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11210

    42348965
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: ewido security suite control - ewido networks - C:\Program

    Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security

    suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

    C:\WINDOWS\System32\nvsvc32.exe
  • Shadow2018Shadow2018 Northwest Missouri
    edited July 2005
    Your log is clean. Are you still having problems?

    A few suggestions:

    1. Upgrade XP-this means take service packs 1 and 2. This is recommended due to increased security features.

    2. Get Spywareblaster .

    3. Take all microsoft critical updates as they become available.

    4. Keep your anti-virus and spyware programs updated frequently.
  • DeAd14EteRNiTyDeAd14EteRNiTy
    edited July 2005
    My computer is faster than it was when it was infected, but I'm sure if I follow your last instructions it will be fixed. Thank you so much for your time and helping me remove the viruses and spyware.
This discussion has been closed.