Post by: raised_on_beans_n_rice on December 12, 2005, 01:57:35 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:56:05 PM, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Panorama\Panorama.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html (http://\"http://www.yahoo.com/search/ie.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com\")
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] D:\AVG7~1.0\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Matrox PowerDesk SE] "C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab (http://\"https://support.microsoft.com/OAS/ActiveX/odc.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119751357171 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119751357171\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123618101998 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123618101998\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\System32\cisvc.exe (file missing)
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Post by: guestolo on December 13, 2005, 01:14:55 AM
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Download SmitRem.exe by Noahdfear (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") and save the file to your desktop.
Please print the next set of instructions or save them too a notepad file on your desktop for reference
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu
Once in safe mode
Find and delete this file if found
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <-file
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job
Reboot back to Normal mode
From my signature below, use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop
Post the following back please
1. A fresh hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
4. Post the Report from Panda's
Post by: raised_on_beans_n_rice on December 16, 2005, 03:36:50 PM
Logfile of HijackThis v1.99.1
Scan saved at 2:20:47 PM, on 12/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\AVG7~1.0\avgemc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Panorama\Panorama.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] D:\AVG7~1.0\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Matrox PowerDesk SE] "C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php (http://\"http://www.freeringers.net/ezimage.php\")
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab (http://\"https://support.microsoft.com/OAS/ActiveX/odc.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119751357171 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119751357171\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123618101998 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123618101998\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\System32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
2) Ewido Report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:21:09 PM, 12/13/2005
+ Report-Checksum: AE92B759
+ Scan result:
C:\WINDOWS\system32\bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\v2.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\tool2.exe -> Hijacker.Spywad.l : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-645f4c2c-4de1ca05.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-73ac7130-4225c91e.class -> Trojan.ClassLoader.Dummy.a : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-7fb5dbb4-6e14f0d7.class -> Trojan.Java.ClassLoader.f : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-44eba5ec-365921c3.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-15599ffc-4eb9b45b.class -> Trojan.ClassLoader.c : Cleaned with backup
C:\Documents and Settings\Tony\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-3cfa0102-189040a6.class -> Trojan.Byteverify : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\heur002.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\IESecurity.dll -> Spyware.SpywareNo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\ProcMon.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20041004012203.zip/WINDOWS/NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq155.tmp\IEagent\CSBIINST.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042155.exe -> Downloader.PassAlert.d : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042158.exe/run.exe -> Downloader.PassAlert.d : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042173.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042174.exe -> Downloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042175.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042176.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042177.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042178.exe -> Downloader.Small.buh : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042179.exe -> Hijacker.StartPage.agi : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042180.exe -> Downloader.Small.bwr : Cleaned with backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP322\A0042328.exe -> Hijacker.Spywad.l : Cleaned with backup
D:\HJT\backups\backup-20050320-223218-231.inf -> Trojan.WinREG.StartPage : Cleaned with backup
D:\Installed Games\GoldMinerSetup-dm.exe -> Spyware.Trymedia : Cleaned with backup
D:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP321\A0042143.exe -> Downloader.IstBar.nk : Cleaned with backup
::Report End
3) SmitRem* I deleted some files which are currently in my recycle bin until I get the ok to delete them from you. They are as follows:
(http://img340.imageshack.us/img340/9021/untitled2en.th.png) (http://\"http://img340.imageshack.us/my.php?image=untitled2en.png\")
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 12/13/2005
The current time is: 12:19:58.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
SpySheriff
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 608 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />4) Panda report
Incident Status Location
Adware:adware/yoursearchengineNot disinfected C:\WINDOWS\system32\config\systemprofile\Favorites\ REMOVE SPYWARE.url
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\bi419.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\polmx2.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\biH.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\flash.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1019.inf
Adware:adware/sahagent Not disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.13\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:adware/portalscan Not disinfected C:\WINDOWS\mmgsvc.dat
Adware:adware/powerstrip Not disinfected C:\WINDOWS\mmgsvce.bin
Adware:Adware/Secure32 Not disinfected C:\WINDOWS\secure32.html
Virus:Trj/Agent.AYO Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Trj/Torpig.A Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\heur000.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\heur001.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\heur003.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\SpySheriff.exe
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041004012207.zip[bi.inf]
Virus:Trj/Qhost.gen Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041201083223.zip[hosts]
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\US Xingtone Ringtone Maker 4.1.xx all Builds crack.exe
Adware:Adware/IST.ISTBar Not disinfected C:\My Downloads\US Xingtone Ringtone Maker 4.1.xx all Builds crack.exe
Adware:Adware/IST.YourSiteBar Not disinfected D:\HJT\backups\backup-20050320-223217-159.inf
Virus:Trj/Downloader.AEE Not disinfected D:\HJT\backups\backup-20050320-223217-375.inf
Adware:Adware/WUpd Not disinfected D:\HJT\backups\backup-20050320-223217-881.inf
Dialer:Dialer.ASV Not disinfected D:\HJT\backups\backup-20050321-200149-917.inf
Post by: guestolo on December 17, 2005, 04:21:08 AM
Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe (http://\"http://www.downloads.subratam.org/KillBox.exe\")
http://www.atribune.org/downloads/KillBox.exe (http://\"http://www.atribune.org/downloads/KillBox.exe\")
Start Killbox
place a tick next to
delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.
Between the dotted lines
By using the Ctrl + C keys on your keyboard
==============================
C:\WINDOWS\system32\config\systemprofile\Favorites\ REMOVE SPYWARE.url
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\inf\bi419.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\polmx2.inf
C:\WINDOWS\inf\biH.inf
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.9
C:\WINDOWS\Downloaded Program Files\flash.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.10
C:\WINDOWS\Downloaded Program Files\CONFLICT.11
C:\WINDOWS\Downloaded Program Files\sporder_.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.13
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.7
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\turbo.inf
C:\WINDOWS\mmgsvc.dat
C:\WINDOWS\mmgsvce.bin
C:\WINDOWS\secure32.html
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Program Files\US Xingtone Ringtone Maker 4.1.xx all Builds crack.exe
C:\My Downloads\US Xingtone Ringtone Maker 4.1.xx all Builds crack.exe
==============================
Back in Killbox go to > file > paste from clipboard,
Click the red highlighted X button
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.
Back in Windows
Open Windows Cleanup
This time click on
OPTIONS>>Standard cleanup
Once standard cleanup is set click the CleanUp! button
Let it finish
Reboot the computer
Please run another scan at Panda's and post a new report