Wierd Winlogon.exe troubles
O.K. A couple of weeks ago, I successfully battled the surf sidekick pro 3 spyware/virus. Now, I have come across a new virus. I believe that tt edited my winlogon.exe file (which I'm starting to find out is quite common). Anyways, heres the problems this one has given me. The first thing which I noticed is that the IE content advisor password was changed and that the IECA was popping up for EVERY page. This was a quick enough fix, if only it was the only thing. It installed a couple of spyware programs like spywarequake and something else (also quick fixes). However, everytime I start up zonealarm now, explorer and Winlogon attempt to access the internet. They do so on these IP's/Ports:
192.168.1.1:1900 (My network gateway) (this was winlogon.exe)
66.170.32.11:DNS (My ISP) (winlogon)
127.0.0.1:1397 (my computer) (winlogon)
127.0.0.1:1397 (my computer) (explorer.exe)
0.0.0.0:135 (None) (winlogon)
127.0.0.1:18350 (local again) (explorer)
0.0.0.0:18350 (winlogon)
If I deny them access, then I lose access to the internet completly!
WTF? I've tried vundo destroyer, look2me destroyer, and smitfraudfix (this actually came up with infected files (see below). I ran hijack this several times and deleted some "020 - winlogon" or "020 - win notify". I've run ewido, my disabled norton (not sure how that happened), adaware se, and antivir (ALL in safe mode). I REALLY need a response soon as my parents are planning on breaking down and paying the computer store for help. I obviously cant just delete the files (even if I wanted to). Here are the logs of the ones that came up with items:
ewido anti-spyware - Scan Report
+ Created at: 6:35:09 PM 7/13/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B6E649FA-5461-40d7-AB4D-54FC3C8DB767}\\BandCLSID -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{736b5468-bdad-41be-92d0-22ae2ddf7bcb} -> Adware.Generic : Cleaned.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned.
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\webhdll.dll -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whAgent.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whInstaller.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whSurvey.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whiehlpr.dll -> Adware.Webhancer : Cleaned.
C:\WINDOWS\wh.exe/whAgent.exe -> Adware.WebHancer : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\Dark Ops\Internet Crap\Nirsoft\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\Dark Ops\Internet Crap\Nirsoft\pspv\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@ads.addynamix[1].txt[/email] -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@adtech[2].txt[/email] -> TrackingCookie.Adtech : Cleaned.
:mozilla.13:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.11:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.12:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.26:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.28:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.29:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.30:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@casalemedia[2].txt[/email] -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@doubleclick[1].txt[/email] -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Cookies\jon [email]roose@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@fastclick[2].txt[/email] -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@media.fastclick[1].txt[/email] -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@hotlog[1].txt[/email] -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@data2.perf.overture[2].txt[/email] -> TrackingCookie.Overture : Cleaned.
:mozilla.16:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.17:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.18:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.12:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.12:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Error during cleaning.
:mozilla.13:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.13:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Error during cleaning.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned.
:mozilla.31:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@tribalfusion[2].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@web-stat[2].txt[/email] -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@zedo[2].txt[/email] -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\invupdate.exe -> Trojan.Imiserv.c : Cleaned.
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld171C.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld1B9A.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld3225.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld4003.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld49C9.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld5156.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld59CA.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld70C2.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld7EC0.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld8F8D.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld919A.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld96B3.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldA190.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldB69.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldBEE5.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldCB45.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldD1CE.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldF210.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned.
::Report end
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
SmitFraudFix v2.70
Scan done at 23:01:49.53, Thu 07/13/2006
Run from C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CARLIS~1.MIC\MYDOCU~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\CARLIS~1.MIC\STARTM~1\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CARLIS~1.MIC\STARTM~1\Programs\SpyQuake2.com Deleted
C:\Program Files\Security Toolbar\ Deleted
C:\Program Files\SpyQuake2.com\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 11:41:25 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\hijackthis\hijackthis\HijackThis.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.edu/Client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/11a5e73681071d311723/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://iuware-web001.uits.indiana.edu/software/setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
PLEASE HELP ME!!!!!!
192.168.1.1:1900 (My network gateway) (this was winlogon.exe)
66.170.32.11:DNS (My ISP) (winlogon)
127.0.0.1:1397 (my computer) (winlogon)
127.0.0.1:1397 (my computer) (explorer.exe)
0.0.0.0:135 (None) (winlogon)
127.0.0.1:18350 (local again) (explorer)
0.0.0.0:18350 (winlogon)
If I deny them access, then I lose access to the internet completly!
WTF? I've tried vundo destroyer, look2me destroyer, and smitfraudfix (this actually came up with infected files (see below). I ran hijack this several times and deleted some "020 - winlogon" or "020 - win notify". I've run ewido, my disabled norton (not sure how that happened), adaware se, and antivir (ALL in safe mode). I REALLY need a response soon as my parents are planning on breaking down and paying the computer store for help. I obviously cant just delete the files (even if I wanted to). Here are the logs of the ones that came up with items:ewido anti-spyware - Scan Report
+ Created at: 6:35:09 PM 7/13/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B6E649FA-5461-40d7-AB4D-54FC3C8DB767}\\BandCLSID -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{736b5468-bdad-41be-92d0-22ae2ddf7bcb} -> Adware.Generic : Cleaned.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned.
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\webhdll.dll -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whAgent.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whInstaller.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whSurvey.exe -> Adware.Webhancer : Cleaned.
C:\Program Files\whInstall\whiehlpr.dll -> Adware.Webhancer : Cleaned.
C:\WINDOWS\wh.exe/whAgent.exe -> Adware.WebHancer : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\Dark Ops\Internet Crap\Nirsoft\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\Dark Ops\Internet Crap\Nirsoft\pspv\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@ads.addynamix[1].txt[/email] -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@adtech[2].txt[/email] -> TrackingCookie.Adtech : Cleaned.
:mozilla.13:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.11:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.12:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.26:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.28:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.29:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.30:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@casalemedia[2].txt[/email] -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@doubleclick[1].txt[/email] -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Cookies\jon [email]roose@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@fastclick[2].txt[/email] -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@media.fastclick[1].txt[/email] -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@hotlog[1].txt[/email] -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@data2.perf.overture[2].txt[/email] -> TrackingCookie.Overture : Cleaned.
:mozilla.16:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.17:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.18:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.12:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.12:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Error during cleaning.
:mozilla.13:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc4\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.13:C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Application Data\Mozilla\Firefox\Profiles\if8y14yy.default\cookies.txt -> TrackingCookie.Sexcounter : Error during cleaning.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned.
:mozilla.31:C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Mozilla\Firefox\Profiles\v4jleiim.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@tribalfusion[2].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@web-stat[2].txt[/email] -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temp\Cookies\carlisle [email]roose@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-2025429265-2111687655-725345543-500\Dc5.rar/Seagate\WINDOWS\Cookies\jon [email]roose@zedo[2].txt[/email] -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\invupdate.exe -> Trojan.Imiserv.c : Cleaned.
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld171C.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld1B9A.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld3225.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld4003.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld49C9.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld5156.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld59CA.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld70C2.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld7EC0.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld8F8D.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld919A.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld96B3.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldA190.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldB69.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldBEE5.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldCB45.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldD1CE.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ldF210.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned.
::Report end
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
SmitFraudFix v2.70
Scan done at 23:01:49.53, Thu 07/13/2006
Run from C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\Documents and Settings\Carlisle Roose.MICHAEL\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CARLIS~1.MIC\MYDOCU~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\CARLIS~1.MIC\STARTM~1\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\CARLIS~1.MIC\STARTM~1\Programs\SpyQuake2.com Deleted
C:\Program Files\Security Toolbar\ Deleted
C:\Program Files\SpyQuake2.com\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 11:41:25 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\hijackthis\hijackthis\HijackThis.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.edu/Client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/11a5e73681071d311723/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://iuware-web001.uits.indiana.edu/software/setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
PLEASE HELP ME!!!!!!
0
This discussion has been closed.
Comments
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Carlisle Roose.MICHAEL\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Spyware:spyware/betterinet Not disinfected c:\windows\susp.ini
Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
Adware:adware/maxifiles Not disinfected c:\program files\common files\InetGet
Adware:adware/dropspam Not disinfected c:\program files\DropSpam
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch
Adware:adware/ist.istbar Not disinfected Windows Registry
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/sqwire Not disinfected Windows Registry
Potentially unwanted tool:application/mediapipe Not disinfected hkey_classes_root\clsid\{B3E19860-0CD5-4991-A066-4FCA2704DE59}
Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\FunWebProductsInstaller.Start
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carlisle Roose.MICHAEL\Cookies\carlisle [email]roose@atwola[1].txt[/email]
There is a dialer in there, but am I just being paranoid? Starting to seem like winlogon is normal...
Logfile of HijackThis v1.99.1
Scan saved at 5:29:35 PM, on 7/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Carlisle Roose.MICHAEL\Desktop\Peepster\hijackthis\hijackthis\HijackThis.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/11a5e73681071d311723/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://iuware-web001.uits.indiana.edu/software/setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
This is a 30 day trial of the program
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run ewido and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
- Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
- If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
- Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
& also post a new hjt log pleaseIMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Once the scan is complete do the following: