Options

Vcodec not completely uninstalled...

Unknown
edited January 2006 in Spyware & Virus Removal
Im getting the same problem too.. and its driving me crazy.

I was looking at this persons problem and the way you explained it made sense but I thought I should post my HJT logfile before i do anything. ;)

Logfile of HijackThis v1.99.1
Scan saved at 16:08:39, on 21/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.something.com/
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpB49A.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [®Windows Update] svchosts.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111773341765
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

Any help with this would be greatly appreciated :) Thank you.

Comments

  • TroganTrogan London, UK
    edited January 2006
    Hi, Welcome to Short-Media :)

    I split your post so you have your own thread :)

    Your gonna get the same fix :D
    ==


    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Download smitRem.exe and save the file to your desktop.
    Right click on the file and extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    Now scan with HJT and place a checkmark next to each of the following items and click 'Fix Checked':

    ===================================================
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpB49A.tmp
    ===================================================

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido: (Do not use the computer while Ewido is scanning as it may interrupt the scan)
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut.

    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

    Let us know if any problems persist.
  • FaDeD
    edited January 2006
    Woo! My annoying bubble that says "Virus Detected blahblahblah.." is gone :):) Thank yoooo! Here's the logs that you asked for:


    Incident Status Location

    Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt[]
    Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt[53312104]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Darren\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4e512a65.zip[a.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Darren\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4e512a65.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Darren\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4e512a65.zip[VerifierBug.class]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Darren\Cookies\darren@ad.sensismediasmart.com[1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Darren\Cookies\darren@adopt.hbmediapro[2].txt
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Darren\Cookies\darren@adultfriendfinder[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Darren\Cookies\darren@ath.belnk[2].txt
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Darren\Cookies\darren@azjmp[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Darren\Cookies\darren@belnk[1].txt
    Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Darren\Cookies\darren@c.fsx[1].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Darren\Cookies\darren@c3.gostats[1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Darren\Cookies\darren@ccbill[2].txt
    Spyware:Cookie/Sexsuche Not disinfected C:\Documents and Settings\Darren\Cookies\darren@counter.sexsuche[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Darren\Cookies\darren@dist.belnk[1].txt
    Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Darren\Cookies\darren@fe.lea.lycos[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Darren\Cookies\darren@gamearena.com[2].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Darren\Cookies\darren@gostats[2].txt
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Darren\Cookies\darren@i.screensavers[2].txt
    Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Darren\Cookies\darren@kinghost[1].txt
    Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Darren\Cookies\darren@offeroptimizer[1].txt
    Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Darren\Cookies\darren@outster[2].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Darren\Cookies\darren@rn11[2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Darren\Cookies\darren@searchportal.information[1].txt
    Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Darren\Cookies\darren@teensforcash[2].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Darren\Cookies\darren@toplist[2].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Darren\Cookies\darren@webpower[2].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Darren\Cookies\darren@xiti[1].txt
    Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Darren\Cookies\darren@xmts[2].txt
    Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Darren\Cookies\darren@yadro[2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Darren\Desktop\choochoo\smitRem\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Darren\Desktop\smitRem.exe[Process.exe]
    Possible Virus. Not disinfected C:\Documents and Settings\Darren\My Documents\Final Fantasy 7\Disc 1\Ultimate Hack Pack.zip[Autoshooter.exe]
    Spyware:Cookie/Ccbill Not disinfected F:\Documents and Settings\Darren\Cookies\darren@ccbill[1].txt
    Spyware:Cookie/TeensForCash Not disinfected F:\Documents and Settings\Darren\Cookies\darren@teensforcash[1].txt
    Spyware:Cookie/WebPower Not disinfected F:\Documents and Settings\Darren\Cookies\darren@webpower[1].txt
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-1862[1].0000
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-1932[1].0000
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-2042[1].0000
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-2872[1].0000
    Adware:Adware/MediaTickets Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\mtrslib2[1].js
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\KP6NS16F\!update-2572[1].0000
    Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\KP6NS16F\!update-2752[1].0000
    Possible Virus. Not disinfected F:\Program Files\MAIET\Gunz\Autoshooter.exe
    Adware:Adware/MediaTickets Not disinfected F:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF |||

    Logfile of HijackThis v1.99.1
    Scan saved at 18:49:25, on 21/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    F:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Teamspeak2_RC2\TeamSpeak.exe
    F:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.something.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [®Windows Update] svchosts.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [®Windows Update] svchosts.exe
    O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} -
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

    |||


    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: 21/01/2006
    The current time is: 16:51:41.82

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SpywareStrike © by noahdfear

    SpywareStrike directory present

    SpywareStrike uninstaller present

    Starting spystri uninstaller

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~

    Online Security Guide.url
    Online Security Guide.url
    Security Troubleshooting.url
    Security Troubleshooting.url


    ~~~ Favorites ~~~

    Antivirus Test Online.url


    ~~~ system32 folder ~~~

    wiatwain.dll
    1024 dir
    msvol.tlb
    ld****.tmp
    mssearchnet.exe
    ncompat.tlb
    nvctrl.exe
    mscornet.exe
    hp***.tmp


    ~~~ Icons in System32 ~~~

    ts.ico
    ot.ico


    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1444 'explorer.exe'

    Starting registry repairs

    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN! :)

    |||
    ewido anti-malware - Scan report

    + Created on: 17:52:39, 21/01/2006
    + Report-Checksum: 7E4F38EE

    + Scan result:

    :mozilla.7:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.8:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.9:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.10:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.11:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.12:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.13:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
    :mozilla.18:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Adbrite : Ignored
    :mozilla.19:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Adbrite : Ignored
    :mozilla.22:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Euroclick : Ignored
    :mozilla.37:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
    C:\Program Files\WinRAR\_RarExt.exe -> Backdoor.Agent.ek : Ignored
    C:\WINDOWS\system32\system.bin -> Backdoor.Agent.ek : Ignored
    C:\WINDOWS\system32\_RarExt.exe -> Backdoor.Agent.ek : Ignored
    C:\WINDOWS\system32\_textpad.exe -> Backdoor.Agent.ek : Ignored
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-1862[1].0000 -> Spyware.PurityScan : Ignored
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\!update-2042[1].0000 -> Spyware.PurityScan : Ignored
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\G9EFS9MN\mtrslib2[1].js -> Downloader.Small : Ignored
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\KP6NS16F\!update-2572[1].0000 -> Downloader.PurityScan.ah : Ignored
    :mozilla.40:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.41:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.42:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.43:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    :mozilla.44:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    :mozilla.45:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    :mozilla.46:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    :mozilla.47:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    :mozilla.91:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.92:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.93:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.94:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.95:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.103:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.104:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.105:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.106:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.107:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.108:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.109:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.110:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    :mozilla.121:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.122:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.123:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.124:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.125:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.126:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.127:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.151:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    :mozilla.153:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    :mozilla.154:C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\8au196ga.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cnetaustralia.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz2.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz5.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz7.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@data3.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@metacafe.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@srv1.ad.adition[1].txt -> Spyware.Cookie.Adition : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@stats.adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@vip.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
    C:\Documents and Settings\Darren\Cookies\darren@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_Alcohol_120%_1.9.5.2902_Crack.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_AnyDVD_v4.6.3.2_KeyGen.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_BlindWrite_5.2.13_KeyGen.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_DVDFab_2.50_Final_patched.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_NERO_6.6.08A_KEYGEN.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_Prince_Of_Persia_2_Warrior_Within_NOCD.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_SIMS_2_NOCD.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_WinDVD_Platinum_v6.0.B06.128C00_KeyGen.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Documents and Settings\Darren\My Documents\Downloads\_WINRAR_v3.50_FINAL_CRACK.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Program Files\Adobe\Acrobat 7.0\Reader\_Reader32.exe -> Backdoor.Agent.ek : Cleaned with backup
    C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Jasc Paint Shop Pro 9.0 keygen.exe -> Dropper.Small.mq : Cleaned with backup
    C:\WINDOWS\system32\svchosts.exe -> Backdoor.Agent.ek : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    F:\Documents and Settings\Darren\Cookies\darren@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\4TUYWC4K\chat[1].htm -> Downloader.Inor.a : Cleaned with backup
    F:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\OHEBCDQF\MediaTicketsInstaller[1].cab/MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
    F:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
    F:\WINDOWS\system32\lkojqgg.dll -> Spyware.PurityScan : Cleaned with backup


    ::Report End


    Have fun looking through all of that. o.O
  • TroganTrogan London, UK
    edited January 2006
    Can you do the following:

    Go to Start > Control Panel > Java > Click Delete Files... > Put a Tick in all boxes and click OK > Click OK again.

    Clear out the temporary internet files:
    • Go Start
    • Control Panel
    • Click on Internet Options
    • Click the General Tab and under Temporary Internet Files click...
    • Delete Files...
    • Delete Cookies...
    ===

    Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

    1) Run Ad-Aware, and click Check for updates now.

    2) Select Configurations (click the Gear wheel at the top) as follows:
    • General Button > Safety & Settings: Check (Green) all three.
    • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
    Click Proceed.
    3) To start the scan, Click > "Scan Now" at left
    • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
    • Select "Search for low-risk threats"
    • Select "Perform full system scan"
    • Click Next
    4) When the scan has completed, select Next.
    • In the Scanning Results window, select the "Critical Objects" tab.
    • Right-click on the screen and choose "Select all objects"
    • Click Next to remove the infections found, and click OK to the prompt.
    • Restart the computer.


    After Rebooting, do the following:


    Download Spybot S & D from here.
    1. Download and Install Spybot S&D (if you haven't already), accept the Default Settings
    2. In the Menu Bar at the top of the Spybot window you will see 'Mode'.
      Make certain that 'default mode' has a check mark beside it.
    3. Close ALL windows except Spybot S&D
    4. Click the button to ‘Search for Updates’ then download and install the updates.
    5. Next click the button ‘Check for Problems'
    6. When Spybot is complete, it will be showing ‘RED’ entries bold 'BLACK' entries and ‘GREEN’ entries in the window
    7. Make certain there is a check mark beside all of the RED entries ONLY.
    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
    9. REBOOT normally to complete the scan and clear memory.


    Reboot!


    Go here and in the box provided, paste the following one at a time. Then press SUBMIT

    C:\Program Files\WinRAR\_RarExt.exe
    C:\WINDOWS\system32\system.bin
    C:\WINDOWS\system32\_RarExt.exe
    C:\WINDOWS\system32\_textpad.exe

    The files will be scanned by various Anti-Virus scanners. Please post the results here.


    Post a new HJT log and the scan results :)
  • FaDeD
    edited January 2006
    Ok, Spybot found some errors and failed to delete them - twice.. even after doing a reboot..

    Here's the HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:05:57, on 21/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    F:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.something.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [®Windows Update] svchosts.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [®Windows Update] svchosts.exe
    O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} -
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

    The other things werent able to upload.. I turned off all of my firewalls on every computer on my network but still nothing.
  • TroganTrogan London, UK
    edited January 2006
    FaDeD wrote:
    The other things werent able to upload.. I turned off all of my firewalls on every computer on my network but still nothing.
    Did you get a message?
    ==========


    We need to DISABLE SpyBots TeaTimer as it may interfere with the fix.

    1) Run Spybot-S&D
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Exit SpyBot
    ===


    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)
    - Close ALL open windows
    Click Fix Checked

    O4 - HKLM\..\Run: [®Windows Update] svchosts.exe
    O4 - HKCU\..\Run: [®Windows Update] svchosts.exe

    O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} -
    ===


    Reboot the computer!

    Enable SpyBots TeaTimer

    If you can, try scanning those files again

    Post a new HJT log. :)
Sign In or Register to comment.