Options
TROJAN-SPY.HTML.SNITFRAUD.C; please help me destroy this &$*#@
First I thank all of you who give your time to help others , when they hit something they cannot fix using elbow grease and determination to find a solution. I have not yet seen a PayPal donation logo on site yet, but if one is here, i WILL find it. Thanks again.
BSOD ERROR MESSAGE:
FATAL ERROR IN 'I E' HAS OCCURED AT 0028:C0011E36 IN VXD VMM(1)+00010E36 ERROR WAS CAUSED BY TROJAN-SPY.HTML.SNITFRAUD.C
If you need any more info, let me know. here is log;BTW, tried the remove process by shadow2018, but like chia, none of the files he listed were found on my pc.
Logfile of HijackThis v1.99.1
Scan saved at 1:11:08 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rlmukj.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\flopro32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Information Update\iu.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\finpm13n.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
D:\hijackthis\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmukj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepls32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [u38X38P] flopro32.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Information Update] C:\Program Files\Information Update\iu.exe
O4 - HKLM\..\Run: [fylqhc] c:\windows\system32\jrnezxg.exe r
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [f0r7RUj5W] finpm13n.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Thank you
BSOD ERROR MESSAGE:
FATAL ERROR IN 'I E' HAS OCCURED AT 0028:C0011E36 IN VXD VMM(1)+00010E36 ERROR WAS CAUSED BY TROJAN-SPY.HTML.SNITFRAUD.C
If you need any more info, let me know. here is log;BTW, tried the remove process by shadow2018, but like chia, none of the files he listed were found on my pc.
Logfile of HijackThis v1.99.1
Scan saved at 1:11:08 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rlmukj.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\flopro32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Information Update\iu.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\finpm13n.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
D:\hijackthis\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmukj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepls32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [u38X38P] flopro32.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Information Update] C:\Program Files\Information Update\iu.exe
O4 - HKLM\..\Run: [fylqhc] c:\windows\system32\jrnezxg.exe r
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [f0r7RUj5W] finpm13n.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Thank you
0
Comments
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.
Please download, install, and update the free version of Ewido Security Suite:
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
===================================================
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
Next, run Ad-aware and perform a full scan. Remove everything found.
Now open Ewido Security Suite
- Click on Scanner
- Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
- Click on Start Scan
- Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OKOnce the scan has completed, there will be a button located on the bottom of the screen named Save report
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Website -> Uncheck "Security Info" if present.
Restart your computer in normal mode.
Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!
Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
Guess i'm too long. Will break response in half.
First, I thank you. And maybe apologize. Between the time I posted my hijack log, and the astonishingly short time it took to recieve a reply, I had run both Ad-aware SE 1.06 Professional, and Spybot , counter to After beginning the instructions sent to me.
I'm fearful this has led to inaccurate information. The REASONS:
1.None of the files listed on instruction's were avialable to be checked off;
2. the nearest being: R3 - URLSearchHook: (no name) ; on PC it shows up as R3 - - Default URLSearchHook...". The key being it was not an EXACT match with "Default" in it, so I left it. I hope I was right.
Also, as I watched the scrolling, seen a lot of:
:"Could not find specified file"; and "Access Denied" fly by. Hopefully not contributed to, as it turned out, premature Ad-aware & Spy-bot scans; but I have a feeling I'd have had more interaction with instruction sheet had they been left alone. But hey, I was throwing everything I had at this damn thing, with no affect[read: frustration]; I'm sure you can relate.
If the early scans DID affect outcome, Please advise. Thank You
BTW, the activescan's URL did not work as is, but an update to http://www.pandasoftware.com/activescan should do the trick. Also,
there doesn't seem to be an AUTOCLEAN box to check anymore. It appears they have gone with the rest: offer free scans, show what you want removed, then try to set the hook and make you pay for the software they are hawking. And, boy, I'll tell ya; the way your directions read, I was fired up to get a virus scan that actually removd a virus. If I'm wrong about this. please let me know.As is, it just seemed to go on forever, much more than the storage I have; and I started again and again it started showing as picking up viruses in about the same place. I'll run HJT as is after the panda scan.
OK,after reboot I get error message:
ERROR LOADING C:\WINDOWS\CFGMGR52.DLL
THAT SPECIFIC MODULE COULD NOT BE FOUND.
========================================================
HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:07:36 AM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rlmukj.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Information Update\iu.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\admin\Desktop\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmukj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepls32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Information Update] C:\Program Files\Information Update\iu.exe
O4 - HKLM\..\Run: [fylqhc] c:\windows\system32\jrnezxg.exe r
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30
"EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [u38X38P] unirov.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [f0r7RUj5W] mlatmled.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead
Systems\DVD\ULCDRSvr.exe
=========================================================
Ewido
ewido security suite - Scan report
+ Created on: 3:36:06 PM, 7/13/2005
+ Report-Checksum: 86BCC047
+ Scan result:
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned
with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned
with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia :
Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned
with backup
C:\Documents and Settings\admin\Cookies\admin@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\admin\Cookies\admin@linkbuddies[1].txt -> Spyware.Cookie.Linkbuddies : Cleaned with
backup
C:\Documents and Settings\admin\Local Settings\Temp\100.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\10385.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\10863.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\11270.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\11561.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\11652.exe -> TrojanDownloader.Small.alr : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\12001.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\12290.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\12966.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\13244.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\13245.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\13391.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\13523.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\13607.exe -> TrojanDownloader.Small.alr : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\1425.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\1434.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\14951.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\15023.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\15846.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\1627.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\16757.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\17.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\17486.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\17703.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\17854.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\18.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\18413.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\18791.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\19.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\19508.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\19891.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\1996.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\20015.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\20886.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\2206.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\22927.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\23050.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\23146.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\23554.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\23727.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\24296.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\25220.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\26.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\26727.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\27675.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\27929.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\28112.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\28443.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\28530.exe -> TrojanDownloader.Small.alr : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\28643.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\29032.exe -> TrojanDownloader.Small.alr : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\29788.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\29955.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\30531.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\31186.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\31216.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\31503.exe -> TrojanDownloader.Small.alr : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\32298.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\4185.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5118.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5382.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5453.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5668.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\582.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5882.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5C.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5D.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5E.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\5F.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\60.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\6623.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\6903.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\7008.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\7053.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\76.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\7A.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\8192.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\8740.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\8916.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\9753.exe -> Trojan.P2E.br : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\B.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\C1D.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\C36.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\C37.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\C38.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\DelC3.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\DelCD.tmp -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.jj : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with
backup
C:\Documents and Settings\admin\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned
with backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.fr4DC9 -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.fr6362\istsvc.exe -> TrojanDownloader.IstBar : Cleaned with
backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.fr70B8 -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.fr9911 -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.frA2F0\MediaAccess.exe -> Spyware.WinAD : Cleaned with
backup
C:\Documents and Settings\admin\Local Settings\Temp\temp.frF040\istsvc.exe -> TrojanDownloader.IstBar : Cleaned with
backup
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\90LCDZQE\abiuninst[1].exe ->
Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\90LCDZQE\Poller[1].exe ->
Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\HKBBJHKS\AuroraHandler[1].dll ->
Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\NQ9JNHX1\svcproc[1].exe ->
Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\YX4TSZKR\Nail[1].exe ->
Adware.BetterInternet : Cleaned with backup
C:\DOWNLOADS\protector.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\MultiShrink\MultiShrink 1.4.exe -> Trojan.LowZones.by : Cleaned with backup
C:\RECYCLER\S-1-5-21-299502267-162531612-725345543-1003\Dd24.com)\dki.exe -> TrojanDownloader.INService :
Cleaned with backup
C:\WINDOWS\awedbqfj.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\elitepls32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\Glamud.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\Hgvrru.exe -> Trojan.Popmon.a : Cleaned with backup
C:\WINDOWS\system32\Jtgpse.exe -> Trojan.Popmon.a : Cleaned with backup
C:\WINDOWS\system32\mlatmled.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\system32\nsh97.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\Oxxhbq.exe -> Trojan.Popmon.a : Cleaned with backup
C:\WINDOWS\system32\pgvyq.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\unirov.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\WINDOWS\system32\Zcpmlc.exe -> Trojan.Popmon.a : Cleaned with backup
E:\RECYCLER\S-1-5-21-1409082233-287218729-839522115-500\Dd2\Administrator\Cookies\administrator@paypopup[1].txt ->
Spyware.Cookie.Paypopup : Cleaned with backup
F:\CloneDVD2_v2[1].4.5.4_by_SND (www.crack-locator.com)\wuk.exe -> TrojanDownloader.INService.fk : Cleaned with
backup
G:\0 THE PROGRAM FOLDER\FTP SERVERS\Serv-U_v5.0.0.4_Corporate_Final-HARPOON\Crack\ServUDaemon.exe ->
Backdoor.ServU-based : Cleaned with backup
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Cookies\jim [email]dandy@www.sidefind[2].txt[/email] ->
Spyware.Cookie.Sidefind : Cleaned with backup
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temp\iinstall.exe ->
TrojanDownloader.IstBar.ir : Cleaned with backup
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\TQ1VPEKW\0006_cracks[1].cab/ISTactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UFELS7I5\istdownload[1].exe -> TrojanDownloader.IstBar.ir : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\68noqki8.exe -> Adware.SAHA : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\fkrl8uv5.dll -> Adware.SAHA : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\mac80ex.idf/C:/WINDOWS/system32/msbe.dll -> Spyware.BargainBuddy
: Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exdl.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/mqexdlm.srg ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exul.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/javexulm.vxd ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/bbchk.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/msexreg.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/instsrv.exe ->
Spyware.BargainBuddy : Cleaned with backup
G:\D DRIVE COPY 8+GB\WINDOWS\system32\ol0937qj.exe -> Adware.SAHA : Cleaned with backup
H:\000 GREGG PROGRAMS\APPZS\FTP
SERVERS\Serv-U_v5.0.0.4_Corporate_Final-HARPOON\Crack\ServUDaemon.exe -> Backdoor.ServU-based : Cleaned with backup
H:\NEW PROGRAMS\MultiShrink1.4.sfx.exe/MultiShrink 1.4.exe -> Trojan.LowZones.by : Cleaned with backup
::Report End
=========================================================
REST OF REPORT FOLLOWS
smitREM
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
============================================================
PART 2 AND FINAL OF REPORT
smitREM
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
wp.bmp
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
Not Infected!
===================================================================
ACTIVESCAN LOG
Incident Status Location
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\ryucepc.dll
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\rlmukj.exe
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\rlmukj.exe
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\PROGRA~1\Cas\Client\CASCLI~1.EXE
Adware:Adware/AdBehavior No disinfected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nutc.exe
Adware:Adware/SaveNow No disinfected
Windows Registry
Adware:Adware/nCase No disinfected
C:\DOCUME~1\admin\LOCALS~1\Temp\180sainstaller.exe
Spyware:Spyware/Dyfuca No disinfected
Windows Registry
Adware:Adware/CWS No disinfected
C:\Documents and Settings\admin\Favorites\Fun & Games
Adware:Adware/BookedSpace No disinfected
Windows Registry
Adware:Adware/Apropos No disinfected
C:\DOCUME~1\admin\LOCALS~1\Temp\cfout.txt
Adware:Adware/AdDestroyer No disinfected
C:\Documents and Settings\admin\Start Menu\Programs\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected
Windows Registry
Adware:Adware/QuickSearch No disinfected
C:\WINDOWS\downloaded Program Files\Install.inf
Adware:Adware/EliteBar No disinfected
Windows Registry
Adware:Adware/PsGuard No disinfected
C:\Documents and Settings\admin\Application Data\PSGuard.com
Spyware:Spyware/SurfSideKick No disinfected
C:\Documents and Settings\admin\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected
C:\Documents and Settings\admin\Application Data\Sskknwrd.dll
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\NEW NFO TEXT\Print_Studio_v2[1].0 (www.crack-locator.com).zip[qcg.exe]
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\Print_Studio_v2[1].0 (www.crack-locator.com)\qcg.exe
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].0_by_Revenge (www.crack-locator.com)\mer.exe
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].0_by_Revenge (www.crack-locator.com).zip[mer.exe]
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].1 (www.crack-locator.com)\fee.exe
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].1 (www.crack-locator.com).zip[fee.exe]
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].2_Fixed_by_Core (www.crack-locator.com)\bvq.exe
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[1].2_Fixed_by_Core
(www.crack-locator.com).zip[bvq.exe]
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[2].2_by_BM (www.crack-locator.com)\yxi.exe
Spyware:Spyware/ISTbar No disinfected
C:\Documents and Settings\admin\Desktop\RAT\Dual_DVD_Copy_Gold_v3[2].2_by_BM (www.crack-locator.com).zip[yxi.exe]
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Documents and Settings\admin\Local Settings\Temp\cassetup.exe
Spyware:Spyware/SurfSideKick No disinfected
C:\Documents and Settings\admin\Local Settings\Temp\iA3.tmp
Adware:Adware/nCase No disinfected
C:\Documents and Settings\admin\Local Settings\Temp\res35.tmp
Adware:Adware/VirtualBouncer No disinfected
C:\Documents and Settings\admin\Local Settings\Temp\wrapperouter.exe
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\90LCDZQE\fav[1].bmp
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\90LCDZQE\webservice[1].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\90LCDZQE\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\HKBBJHKS\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\HKBBJHKS\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\ILUVUTB7\drugs[1].bmp
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\NFGA00WU\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\NFGA00WU\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\NQ9JNHX1\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\NQ9JNHX1\webservice[4].htm
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\PRBTN9BS\cassetup[1].exe
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\PRBTN9BS\virus[1].bmp
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\PRBTN9BS\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Y440A2MA\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Y440A2MA\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Y440A2MA\webservice[4].htm
Adware:Adware/Apropos No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\YX4TSZKR\auto_update[1].txt
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\YX4TSZKR\webservice[1].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\YX4TSZKR\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\YX4TSZKR\webservice[3].htm
Spyware:Spyware/SurfSideKick No disinfected
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/AdBehavior No disinfected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nutc.exe
Adware:Adware/Pacimedia No disinfected
C:\DOWNLOADS\pcs_0029.exe
Adware:Adware/Apropos No disinfected
C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected
C:\Program Files\Cas\Client\Uninstall.exe
Spyware:Spyware/ISTbar No disinfected
C:\Program Files\Print Studio 2.0\0 CRACK\bod.exe
Spyware:Spyware/ISTbar No disinfected
C:\Program Files\WinISO\WinISO_v5[1].3 (www.crack-locator.com).zip[faz.exe]
Spyware:Spyware/BargainBuddy No disinfected
C:\Program Files 2\BullsEye Network\bin\bargains.exe
Spyware:Spyware/BargainBuddy No disinfected
Adware:Adware/QuickSearch No disinfected
C:\WINDOWS\Downloaded Program Files\Install.inf
Adware:Adware/QoolAid No disinfected
C:\WINDOWS\system32\bxoqcnq.exe
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\pgvyq.dat
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\rlmukj.exe
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\ryucepc.dll
Adware:Adware/AdBehavior No disinfected
C:\WINDOWS\system32\ugnvr.dll
Spyware:Spyware/ISTbar No disinfected
E:\found.003\dir0023.chk\d[1].htm
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\DVD-Lab_v1[1].0_Pro_Final_and_v0.x_Beta_Pro (www.crack-locator.com)\nex.exe
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\DVD-Lab_v1[1].0_Pro_Final_and_v0.x_Beta_Pro (www.crack-locator.com).zip[nex.exe]
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\dvdlab 1.3 and serial\DVD LAB MPGVCR SET\MPEG-VCR_v3[1].14 (www.crack-locator.com)\eug.exe
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\dvdlab 1.3 and serial\DVD LAB MPGVCR SET\_Easy_Tagger_2[1].1_serial
(www.crack-locator.com)\smw.exe
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\DVD_Labeler_v2[1].01 (www.crack-locator.com).zip[nug.exe]
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\GEAR_Pro_DVD_v6[1].0 (www.crack-locator.com)\tzz.exe
Spyware:Spyware/ISTbar No disinfected
F:\AUTHORING PROGS\GEAR_Pro_DVD_v6[1].0 (www.crack-locator.com).zip[tzz.exe]
Spyware:Spyware/ISTbar No disinfected
F:\BRUTE FORCE\Dual_DVD_Copy_Gold_v3[1].0_by_Revenge (www.crack-locator.com)\ngp.exe
Spyware:Spyware/ISTbar No disinfected
F:\BRUTE FORCE\Dual_DVD_Copy_Gold_v3[1].0_by_Revenge (www.crack-locator.com).zip[ngp.exe]
Spyware:Spyware/ISTbar No disinfected
F:\CloneDVD_v3[1].0_Final (www.crack-locator.com)\jng.exe
Spyware:Spyware/ISTbar No disinfected
F:\DVD LAB MPG2VCR SET\MPEG-2VCR_v3[1].14\eug.exe
Spyware:Spyware/ISTbar No disinfected
G:\0 THE PROGRAM FOLDER\CD Burning and Related-- scorch\NERO PROG
VERS\Nero_Burning_ROM_Nero_Express_v5[1].5.10.7_v5.5.10.7b (www.crack-locator.com)\zbb.exe
Spyware:Spyware/ISTbar No disinfected
G:\0 THE PROGRAM FOLDER\CD Burning and Related-- scorch\NERO PROG VERS\Nero_Vision_Express_v2[1].1.0.4
(www.crack-locator.com)\amv.exe
Spyware:Spyware/ISTbar No disinfected
G:\0 THE PROGRAM FOLDER\Runtimes_GetDataBack\nxy.exe
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Desktop\BadCopy_Pro_v3[1].75.0608 (www.crack-locator.com)\lra.exe
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Desktop\BadCopy_Pro_v3[1].75.0608
(www.crack-locator.com).zip[lra.exe]
Adware:Adware/Tracking No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\advertising[1].htm
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\BadCopy_Pro_v3[1].75.0608 (www.crack-locator.com).zip[lra.exe]
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\mirrors[1].htm
Spyware:Spyware/XXXToolbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\prompt[1].htm
Spyware:Spyware/XXXToolbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\prompt[2].htm
Spyware:Spyware/BargainBuddy No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\webservice[1].htm
Spyware:Spyware/BargainBuddy No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\QZORO3G3\webservice[2].htm
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\TQ1VPEKW\d[1].htm
Adware:Adware/Tracking No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UDIXCXUN\advertising[1].htm
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UDIXCXUN\d[1].htm
Spyware:Spyware/ISTbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UDIXCXUN\d[1].x[d[1]]
Spyware:Spyware/XXXToolbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UDIXCXUN\prompt[1].htm
Spyware:Spyware/BargainBuddy No disinfected
webservice[3].htm
Spyware:Spyware/XXXToolbar No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UFELS7I5\CAGRG50V.HTM
Adware:Adware/SAHAgent No disinfected
G:\D DRIVE COPY 8+GB\Documents and Settings\jim dandy\Local Settings\Temporary Internet
Files\Content.IE5\UFELS7I5\sahagent[1].exe
Spyware:Spyware/BargainBuddy No disinfected
G:\D DRIVE COPY 8+GB\Program Files\BullsEye Network\bin\bargains.exe
Spyware:Spyware/BargainBuddy No disinfected
G:\D DRIVE COPY 8+GB\Program Files\BullsEye Network\Uninstall.exe
Adware:Adware/ExactSearch No disinfected
G:\D DRIVE COPY 8+GB\WINDOWS\system32\exclean.exe
===============================================================================
I must assume, due to Activescans actions, that it found but did not remove over 100 infected files. This way I use PC as if infected
until y'all tell me different, a worse case scenario type thing. Most of all, it got rid of trojan-spy SOB, at least oits not on my desktop.
I thank you very,very much, and await further instructions. scorch269
Please make sure that you can VIEW ALL HIDDEN FILES.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmukj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepls32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [Information Update] C:\Program Files\Information Update\iu.exe
O4 - HKLM\..\Run: [fylqhc] c:\windows\system32\jrnezxg.exe r
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [u38X38P] unirov.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [f0r7RUj5W] mlatmled.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\system32\rlmukj.exe
C:\windows\system32\elitepls32.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\wintask.exe
C:\Program Files\VBouncer
C:\WINDOWS\system32\PSof1.exe
C:\Program Files\Information Update
c:\windows\system32\jrnezxg.exe r
C:\WINDOWS\system32\exp.exe
unirov.exe
mlatmled.exe
C:\Program Files\Cas
C:\WINDOWS\svcproc.exe
Reboot your computer to go back to normal mode and post a new log.
yep, I had missed visualizing the protected files.Only
c:\program files\cas & c:\program files\information update
were found from the list. BTW, I looked for them via
search. Was that OK? And they werent case sensitive ?
Also, I havent done this 1,2,3 as one process; I've used
my pc in between posts with you. did i mess up? thank
you
Logfile of HijackThis v1.99.1
Scan saved at 6:10:08 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E
_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program
Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead
Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and
Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.e
xe
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.cdcovers.cc/dvd_s.php
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program
Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program
Files\Common Files\Symantec Shared\Security
Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E
_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series"
/O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator]
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber
Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program
Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP -
C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program
Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel
-
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/
3000
O8 - Extra context menu item: RoboForm &2 -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm -
{724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html (file
missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 -
{724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html (file
missing)
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF:
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02}
(HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF:
{205FF73B-CA67-11D5-99DD-444553540013} -
http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF:
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin
/AvSniff.cab
O16 - DPF:
{644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/com
mon/bin/cabsa.cab
O16 - DPF:
{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housec
all.trendmicro.com/housecall/xscan53.cab
O16 - DPF:
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software
AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark
International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe (file
missing)
O23 - Service: Ulead Burning Helper
(UleadBurningHelper) - Ulead Systems, Inc. - C:\Program
Files\Common Files\Ulead
Systems\DVD\ULCDRSvr.exe
On your next post can you make sure that your margins are set up so that it posts better?
Click Start -> Run -> (type) services.msc
Scroll down and find the service called Service: System Startup Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.
SvcProc
Reboot and post a new hijackthis log.
So i repeated the steps for a new log i thought was sent; the start-up service said it was no longer there, and where i had pasted SvcProc it now says(when i repeat the copy\paste):
SERVICE 'SVCPROC' WAS NOT FOUND IN THE REGISTRY. MAKE SURE YOU ENTERED THE SHORT NAME OF THE SERVICE, vb Exclamation.
I hope all is well, concerning my actions of repeating myself. thank you, i hope this copy is EASILYreadable. I also tacked on a START UP LOG IN CASE IT COULD BE USEFUL[sorry 4 the caps]
Logfile of HijackThis v1.99.1
Scan saved at 3:38:10 AM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Documents and Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Documents and Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
StartupList report, 6/18/2005, 3:37:34 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Documents and Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.exe
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Logitech Utility = Logi_MwX.Exe
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
EPSON Stylus Photo R200 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
RoboForm = "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
Popup Ad Filter = C:\Program Files\Popup Ad Filter\PopFilter.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
Enumerating Task Scheduler jobs:
New Task.job
Symantec NetDetect.job
Enumerating Download Program Files:
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab
[{205FF73B-CA67-11D5-99DD-444553540013}]
CODEBASE = http://adserver.sharewareonline.com/adserver/Install.cab
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab
[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
End of report, 5,932 bytes
Report generated in 0.015 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Your log looks clean to me. Are you having any more problems?
Logfile of HijackThis v1.99.1
Scan saved at 2:53:47 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin\Desktop\HIJACK-THIS_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdcovers.cc/dvd_s.php
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.torrent-damage.net
O15 - Trusted Zone: http://www.torrentreactor.to
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122204663750
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Please Install an Anti-Virus Program immediately. Have you been on the internet with this computer without an active a-v program?
Your log still looks clean. Are you having anymore problems?