TheTechGuide Forum

General Category => Tech Clinic => Topic started by: parkaluwiz on January 06, 2006, 12:33:11 AM

Title: Hijack log please help me!
Post by: parkaluwiz on January 06, 2006, 12:33:11 AM: Hello whoever is reading this. I need help to rid my computer of the w?nspool.exe virus. I ran adaware and spybot and had a windows update before I ran hijackthis. I also ran AVG anti virus and it was the only program that picked up on the w?nspool.exe virus. I have copied and pasted the hijack log at the bottom of this post and I need someone to tell me what I should and should not delete. My computer is running extremely slow and it was dufficult to get this whole process going. If anyone has the time can you please help me!! It would be greatly appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:01:14 AM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Qhi] C:\WINDOWS\system32\w?nspool.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - Startup: Verizon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095888996597 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095888996597\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Title: Hijack log please help me!
Post by: guestolo on January 06, 2006, 03:15:04 PM: Can you do the following please

==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run this yet,

Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll (file missing)

O4 - HKCU\..\Run: [Qhi] C:\WINDOWS\system32\w?nspool.exe

O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

Find and delete this folder
C:\Program Files\rdso <-folder

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Reboot back to Normal mode

Can you post back the following please

1. Post back a fresh hijackthis log
2. Post the whole contents of the Ewido report
3. Could you also do the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as findfile.bat

Save this file on the desktop

Code: [Select]
dir C:\WINDOWS\system32\w?nspool.exe /a h > files.txt notepad files.txt

Double click on findfile.bat, a text file should open, can you copy and paste the findings back here please
Title: Hijack log please help me!
Post by: parkaluwiz on January 09, 2006, 12:17:17 AM: Hey thanks for replying so quick. Im sorry I took so long to reply. My computer's been so slow lately and the Ewido took a few hours to scan everything. I followed all your directions. Ewido found 21 infected files but I have a question for u please. when scanning was complete a warning window popped up saying that the file

F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/bi.dll

could not be deleted or fixed because it was in was embedded in the archive

F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll

It gave me the choice of deleting the whole archive or leaving it alone and i chose to leave it alone because I didnt know if i'd be deleting something important. Should I have done this?

Here is a copy of all u asked for

Logfile of HijackThis v1.99.1
Scan saved at 11:40:36 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Verizon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095888996597 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095888996597\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         11:22:27 PM, 1/8/2006
+ Report-Checksum:      A23AA7B4

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKU\S-1-5-21-1482476501-796845957-839522115-1003\Software\_hsrb -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1482476501-796845957-839522115-1003\Software\_hsrb\kkws -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1482476501-796845957-839522115-1003\Software\_hsrb\ppops -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1482476501-796845957-839522115-1003\Software\_hsrb\ssites -> Spyware.Hotsearchbar : Cleaned with backup
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\Program Files\Common Files\sysdir\ODQ6ODoxMg.exe -> Spyware.ISearch : Cleaned with backup
   C:\WINDOWS\system32\wіnspool.exe -> Spyware.PurityScan : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@a-1shz2prbmdj6wvny-1sez2pra2dj6wjk4elc5mlqa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wflioic5kfpqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4qndjebpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkosocpsepgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyuid5ckpa6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4ciazibogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4soajakpa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnysmajkgpawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Stephen\Cookies\stephen@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   F:\C Drive Stuff\Documents and Settings\Stephen\Cookies\[email protected][1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\extract.exe -> Trojan.Imiserv.c : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\msbbi.exe -> Trojan.Imiserv.c : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/bi.dll -> Trojan.Bispy.A : Error during cleaning
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/biprep.exe -> Trojan.Bispy.B : Error during cleaning
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/bi.dll -> Trojan.Bispy.A : Error during cleaning
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/biprep.exe -> Trojan.Bispy.B : Error during cleaning
   F:\C Drive Stuff\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup

::Report End

THIS IS FROM THE FINDFILE.BAT

Volume in drive C has no label.
Volume Serial Number is A093-709C

Directory of C:\WINDOWS\system32

09/03/2002 12:12 PM 2,112 winspool.exe
1 File(s) 2,112 bytes

Directory of C:\Documents and Settings\Owner\Desktop
Title: Hijack log please help me!
Post by: guestolo on January 09, 2006, 12:52:04 AM: Go ahead and delete this whole archive
Ewido has had an update as of today
Can you check for updates with Ewido again

Run with the instructions I posted above, best run in safe mode
Save the log afterwards

Boot to normal mode

Post the new Ewido log

How is everything running after that?
Findfiles.bat came up clean, Ewido cleaned the bad file I was looking for
Title: Hijack log please help me!
Post by: parkaluwiz on January 10, 2006, 12:13:10 AM: Hey. I re-ran the Ewido after i updated it. This time if found 7 infected files and fixed em'. That warning i told u about came up again. I chose to delete the whole archive. I wanna' say thanks alot my computer seems to be running alot better now, Im able to open programs i couldnt open a week ago. When starting up the computer lately I keep getting a notice that my slave drive is acting out of its normal specifications. I dont think this is because of all the viruses or spyware I had on it. I think it's just dying on me. It suggest that I back up my files immedialtly, which i will start doing tonight. If u have any idea whats going on or how i could find out please let me know. Thank you for all the help u've given me. My computer's really running way better now. Also, now that I got all these new programs, how often do u suggest I run them? Here is the new ewido report.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         11:42:15 PM, 1/9/2006
+ Report-Checksum:      DF819368

+ Scan result:

   C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
   F:\C Drive Stuff\WINDOWS\SYSTEM32\c58bKs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup

::Report End
Title: Hijack log please help me!
Post by: guestolo on January 10, 2006, 10:27:25 PM: If everything is running better
We should clear all your restore points to ensure you don't restore any nasties that may be residing in the
restore folders
Go to START>>RUN>>In the open field
type in msconfig
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"

Apply it and OK out of there>>Reboot your computer

Back in Windows, Go back and take the check out of Turn off system restore
This will reenable the System Restore feature and creates a new restore point

For added protections
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

In addition, open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Do this after every update

You appear to be up to date on Windows updates
Just a reminder, if you are not set to Autoupdate, make a habit of visiting Windows Updates
and check for High Priority updates a couple times a month
This is important in keeping your system secure

Stay safe /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: Hijack log please help me!
Post by: parkaluwiz on January 11, 2006, 12:53:13 AM: Hey thnaks alot for all your help. I did everything u said and my computer seems to be back on track now. I'll follow all your advise and downlaod and update all the programs u said. Im going to try to stay out of trouble now. lol. thanks again. its really appreciated. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Hijack log please help me!
Post by: guestolo on January 11, 2006, 01:00:15 AM: Sounds good parkaluwiz
I'll lock this topic as your problems appear resolved

Take care /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />