Options

Virus return after reboot..

Unknown
edited May 2006 in Spyware & Virus Removal
Hey out there..

I have a big problem right here guys.. I read the guid on http://www.short-media.com/forum/showthread.php?t=43902 and did what it sad, BUT! The virus/spyware keep comming when i reboot my pc, and sometimes i just can´t delete/remove them..

So fare the virus/spyware is: Command Service and coolWWWsearch and WebHancer..

I got the HijackThis Log right here:

Logfile of HijackThis v1.99.1
Scan saved at 21:58:01, on 30-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\programmer\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Programmer\Fælles filer\Panda Software\PavShld\pavprsrv.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Programmer\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Games\Valve\Steam.exe
C:\Programmer\Windows Media Player\wmplayer.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmer\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [webHancer Agent] C:\Programmer\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard15.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142961187424
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmer\Fælles filer\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\programmer\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Programmer\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

Hmm, i dont know if thats all you guys need? :) Or else, you can always send a mail: Mikestyre@hotmail.com

Please help me mann, this is just destroying my computer..

- Peace - Sp34k -

Comments

  • Spuge
    edited May 2006
    Hello Sp34k!


    You Got 2 Firewalls On your Computer.

    Go to Control Panel -> Add/Remove Programs -> Remove Kerio



    ==



    Disable Spybot S&D's TeaTimer:
    1. Start Spybot S&D in advanced mode.
    2. If it is not in advanced mode, press Mode and choose advanced mode
    3.Press Tools (on the left)
    4.Press Resident
    5.Uncheck "Resident Teatimer" and press OK
    6.Restart you computer


    Download Ewido From Here : http://www.ewido.net/en/download/

    Install Ewido And update, But do not Scan yet.



    ==





    Please Download BruteForceuninstaller to C:\

    http://www.merijn.org/files/bfu.zip

    Then Go to My Computer -> C:\

    Click the file BFU.zip with your rigth mousebutton
    -> menu opens
    -> choose Winzip
    -> choose Extract to here
    -> folder named bfu appears to C:\


    Download this removal script (click with your rigth mousebutton, save target as) -> http://metallica.geekstogo.com/alcanshorty.bfu
    And save it to the same folder than where BFU was installed earlier (c:\BFU).



    Reboot your computer in SafeMode by doing the following:

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.



    Go to Control Panel -> Add or remove programs -> Remove:

    WebHancer Agent



    Launch Ewido

    * Click on scanner
    * Click on Complete System Scan and the scan will begin.
    * You will be prompted to clean the first infection.
    * Select "Perform action on all infections", then proceed.
    * Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    * Click Save report.
    * Save the report .txt file to your desktop or a location where you can find it easily.


    -> Run BFU by doubleclicking BFU.exe
    -> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu
    -> Click Execute and let it do its work (You should see a progressbar if you did this right)
    -> Wait for the "Complete script execution" box and click OK.
    -> Click Exit in order to quit BFU.




    Run HijackThis and fix these entries: (Do a system scan only, check entries, close all other windows, press Fix checked)



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O4 - HKLM\..\Run: [webHancer Agent] C:\Programmer\webHancer\Programs\whagent.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall 4\kpf4ss.exe




    Delete These If Found :

    C:\Programmer\==>webHancer<==
    C:\Programmer\==>Sunbelt Software<==


    Reboot To Normal Mode.



    Send a New Hijackthis Log & Ewido Report.
  • Sp34k
    edited May 2006
    Hi :)

    Well, Mission Complete ;) I have done all the things you wanted me to and i go the log from Hijackthis and Ewido :)

    Hijackthis log:


    Logfile of HijackThis v1.99.1
    Scan saved at 16:28:55, on 03-05-2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Programmer\TGTSoft\StyleXP\StyleXP.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Programmer\ewido anti-malware\ewidoctrl.exe
    C:\Programmer\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\ewido anti-malware\SecuritySuite.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\Internet Explorer\iexplore.exe
    C:\Programmer\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142961187424
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe


    And Ewido:

    ewido anti-malware - Scanningsrapport

    + Oprettet den: 18:18:13, 03-05-2006
    + Rapport-Checksum: 6453F701

    + Scanningsresultat:
    HKU\S-1-5-21-2000478354-1060284298-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Renset med backup


    ::Rapport slut


    I hope you can use it dude :) Btw, cool work bro ! Respect!

    - Mike From Denmark
  • Spuge
    edited May 2006
    Open HJT And Fix this Entrie:

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    Looks Much Better :)


    But Now you only got a Antivirus program installed, And you nead a firewall aswell.

    Firewall : http://www.agnitum.com/products/outpostfree/download.php
  • Sp34k
    edited May 2006
    Now the O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k is gone:)

    Spuge, full respect for your great work! Now i dont need to formate my pc:) Thanks to you! Well, dude your the best! Thanks alot and peace!

    Mike from Denmark - Keep up the good work bro!! You got an eye for this! Peace..
  • Sp34k
    edited May 2006
    By the way bro, when i reboot/restart my pc the O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k, well, reborn;)
  • Spuge
    edited May 2006
    Ok, Post a New log so i can See ;)
  • Sp34k
    edited May 2006
    Ok, here you get the log;)


    Logfile of HijackThis v1.99.1
    Scan saved at 17:56:20, on 09-05-2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Programmer\ewido anti-malware\ewidoctrl.exe
    C:\Programmer\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Programmer\Windows Media Player\wmplayer.exe
    C:\Games\Valve\Steam.exe
    C:\Programmer\Internet Explorer\iexplore.exe
    C:\Programmer\Outlook Express\msimn.exe
    C:\Programmer\Messenger\msmsgs.exe
    C:\Programmer\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142961187424
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
  • Sp34k
    edited May 2006
    And the scannings log of Ewido Anti-Malware looks like this:
    ewido anti-malware - Scanningsrapport

    + Oprettet den: 14:33:18, 11-05-2006
    + Rapport-Checksum: 6A81BEEA

    + Scanningsresultat:
    C:\Documents and Settings\Mike Bertelsen\Cookies\mike [email]bertelsen@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Cookies\mike [email]bertelsen@ilead.itrack[1].txt[/email] -> TrackingCookie.Itrack : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Cookies\mike [email]bertelsen@statcounter[2].txt[/email] -> TrackingCookie.Statcounter : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Cookies\mike [email]bertelsen@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Cookies\mike [email]bertelsen@yadro[2].txt[/email] -> TrackingCookie.Yadro : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\0HYZKHUR\drsmartload_js[1].htm -> Downloader.IstBar.j : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\0XAZ09Q3\drsmartload_js[1].htm -> Downloader.IstBar.j : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\0XAZ09Q3\drsmartload_js[2].htm -> Downloader.IstBar.j : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\0XAZ09Q3\index1[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\O7QRSBUD\e[1].anr -> Downloader.Ani.c : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\ODA30PMN\ad[1].anr -> Downloader.Ani.c : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\drsmartload_js[1].htm -> Downloader.IstBar.j : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/Counter.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/VerifierBug.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/web.exe -> Downloader.Tiny.bw : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/Worker.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\OH6RKLE3\jar[1].jar/Xeyond.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\PGONT185\drsmartload_js[1].htm -> Downloader.IstBar.j : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/Counter.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/VerifierBug.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/web.exe -> Trojan.LowZones.dm : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/Worker.class -> Trojan.Femad : Renset med backup
    C:\Documents and Settings\Mike Bertelsen\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLABGLUF\jar[1].jar/Xeyond.class -> Trojan.Femad : Renset med backup


    ::Rapport slut

    To translate what i can from Danish to english is:

    Oprettet den: Is the date when the log was created

    Rapport-checksum is well, what it says i think:P

    And Scanningsresultat: is the result of the bad files, you know, virus and so on..

    and Rapport Slut is: Rapport end

    It dosnt look good, right?

    :) - Mike
  • Sp34k
    edited May 2006
    Hello, im back:)

    My computer started again to act wired, now its really slow and when i play a game call Silkroad Online my computer suddenly just reboot.. My hijackthis log looks like this now:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:28:38, on 18-05-2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Programmer\TGTSoft\StyleXP\StyleXP.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
    C:\Programmer\Arto\Notifier\ArtoNotifier.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Programmer\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmer\ewido anti-malware\SecuritySuite.exe
    C:\Programmer\Internet Explorer\iexplore.exe
    C:\Programmer\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ArtoNotifier] C:\Programmer\Arto\Notifier\ArtoNotifier.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/cseng/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142961187424
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe


    I hope i can get some help again;) Or else, i must formate my pc :( Wont to lose all my data so please help me..
Sign In or Register to comment.