Options
IE - Home page jumps to various sites.
Hello, I would like to request some help regarding the IE homepage. I set it as about.blank, however it keeps jumping to a page known as http://www.guarduptodate.com. It's an Security Center site which I really think is another adware program. I've used Spybot search and Destroy, Ad-ware and scanned with e-wido. I've tried the smitRem, but I could never get it to run even after I extracted the folder. Please help me, Thank you.
Also...My computer was infected with SpywareQuake a few days ago, but after running some of those anti-spyware, it stopped. I'm still not too sure if I removed it throughly or not though. Please check for me.
Here is the HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 3:59:47 AM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpF454.tmp
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Also...My computer was infected with SpywareQuake a few days ago, but after running some of those anti-spyware, it stopped. I'm still not too sure if I removed it throughly or not though. Please check for me.
Here is the HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 3:59:47 AM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpF454.tmp
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
0
Comments
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Boot your computer in safe mode.
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Again I've downloaded the new smitfraudfix, but still no luck on running it (I guess there are lots of problems with my computer). Are there any other ways to fix this?
Thanks
well, it is possible
get rid off to smitfraud.
Update your ewido, don't run yet.
Please download Kllbox
http://www.downloads.subratam.org/KillBox.zip
Unzip it to desktop.
Run it.
Choise
* Delete on Reboot
* Click All Files option.
# Copy and paste follow lines to clipboard:
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\winmxw32.dll
C:\WINDOWS\system32\dvdcap.dll
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\simpole.tlb
C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\dlh9jkdq?.exe
C:\WINDOWS\system32\twain32.dll
C:\WINDOWS\system32\hpF454.tmp
# return to Killbox, go to File , and choise Paste from Clipboard.
# Clicka red-white Delete File . Click Yes "Delete on Reboot"
Click OK every question PendingFileRenameOperations asks and let me know if those exist.
Your computer should restart now. If not boot yourselves.
If you get message :Component 'MsComCtl.ocx' or one of its dependencies not correctly registered
Download this and run it. Try again
http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe
Boot comp straight TO safe mode.
Delete folder if exist
C:\WINDOWS\system32\ >>>1024
Launch ewido
Click Scanner > options and mark scan every file
Go back to scanner and choise "complete system scan"
save raport
Boot normally and send fresh hijack log and ewidos raport.
Scan saved at 10:19:54 PM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp34C2.tmp
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
ewido anti-malware - Scan report
+ Created on: 10:11:03 PM, 5/6/2006
+ Report-Checksum: 55E883B8
+ Scan result:
HKLM\SOFTWARE\Classes\WinRes.WindowsResources -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
C:\!KillBox\winmxw32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\!KillBox\winmxw32.dll( 3) -> Trojan.Agent.qt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.252:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.283:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.320:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
C:\Documents and Settings\Harry Lin\Cookies\harry [email]lin@cnn.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Harry Lin\Cookies\harry [email]lin@statcounter[1].txt[/email] -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Harry Lin\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Harry Lin\Local Settings\Temp\cli688.tmp -> Trojan.Agent.qt : Cleaned with backup
C:\Documents and Settings\Harry Lin\Local Settings\Temporary Internet Files\Content.IE5\G9EFA5WP\srvlbin5[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\Harry Lin\Local Settings\Temporary Internet Files\Content.IE5\O5UNMX8R\wizp32[1].exe -> Downloader.IstBar.eq : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Program Files\Common Files\аѕsembly\attrib.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\blacklist.txt -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang\English.ini -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Logs -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcp71.dll -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcr71.dll -> Adware.SpyFalcon : Cleaned with backup
-> : Error during cleaning
C:\Program Files\SpyFalcon\SpyFalcon.url -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\syg.db -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\uninst.exe -> Adware.SpyFalcon : Cleaned with backup
C:\WINDOWS\Temp\win82E6.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win82EB.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup
::Report End
Run hijackthis and check and and fix:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp34C2.tmp
Turn off your system restore:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306084
Please download CCleaner:
http://www.snapfiles.com/get/ccleaner.html
instructions:
http://www.ccleaner.com/help/tour1.asp
Run with CCleaner "cleaner" And "Issues" options
Then boot your comp to safe mode and delete that folder.
C:\Program Files\ >SpyFalcon\
Run Ewido at same functions as before.
Boot normally and put system restore back .
Send fresh hijack log and ewidos raport.
Logfile of HijackThis v1.99.1
Scan saved at 4:48:00 AM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Download the Roguescanfix depending on your language from here:
http://www.martijnc.be/tools/roguescanfix.exe
# Download FixSQ.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.
http://www.bleepingcomputer.com/files/reg/FixSQ.reg
# Confirm that the file Roguescanfix.exe now resides on your desktop.
# Double-click on the roguescanfix.exe file found on your desktop and then press the Install button. The file will create a folder on your desktop called roguescanfix.
# Double-click on the roguescanfix folder and then double-click on Run.bat. Please note that when the Run.bat starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.
When you start the Run.bat program your desktop will disappear which is normal so you do not need to be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button and continue to Step 5.
If there were more files that needed to be deleted, the program will prompt you to reboot your computer.
Run FixSQ.reg.
Scan your comp by Pandas online scanner, use Internet explorer.
http://www.pandasoftware.com/products/activescan.htm
Save Pandas report.
Boot comp, and send fresh hijack log and Pandas repor
t
Scan saved at 6:13:45 AM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Incident Status Location
Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe
Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe( 4)
Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe
Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe( 5)
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[ad.yieldmanager.com/]
Adware:adware/securityerror
Run Killbox.
Choise
* Delete on Reboot
* Click All Files option.
# Copy and paste follow lines to clipboard:
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\winmxw32.dll
C:\WINDOWS\system32\dvdcap.dll
C:\WINDOWS\system32\hp5385.tmp
C:\WINDOWS\system32\regperf.exe
# return to Killbox, go to File , and choise Paste from Clipboard.
# Clicka red-white Delete File . Click Yes "Delete on Reboot"
Click OK every question PendingFileRenameOperations asks and let me know if those exist.
Your computer should restart now. If not boot yourselves.
Run Pandas online scan again.
Send Pandas report and fresh hijackthis log
Thnak you very much!
Logfile of HijackThis v1.99.1
Scan saved at 12:15:42 PM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp (file missing)
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Incident Status Location
Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe
Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe( 4)
Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe
Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe( 5)
Spyware:Cookie/Falkag Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Adtech Not disinfected
C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.zedo.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.ads.pointroll.com/]
Scan hijack and check those:
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp (file missing)
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
Close all windióws exept hijac and click Fix Checked
Run Killbox.
Choise
* Delete on Reboot
* Click All Files option.
# Copy and paste follow lines to clipboard:
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\winmxw32.dll
C:\WINDOWS\system32\dvdcap.dll
C:\WINDOWS\system32\hp5385.tmp
C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\winapi32.dll
C:\WINDOWS\system32\reglogs.dll
# return to Killbox, go to File , and choise Paste from Clipboard.
# Clicka red-white Delete File . Click Yes "Delete on Reboot"
Click OK every question PendingFileRenameOperations asks and let me know if those exist.
Your computer should restart now. If not boot yourselves.
boot directly in SAfe mode and rescan with Ewido "every file" complete system scan. Save report.
Run Pandas online scan again.
Send Pandas report and fresh hijackthis log and Ewidos report.
Free good antivirus :
AVG (I use it)
AVAST
ANTIVIR
Download FIREWALL too.
Zone Alarm
Kerio
Outpost