Author Topic: hijacked (Read 1782 times)

flipper1 · « **on:** January 15, 2006, 11:17:25 PM »

here is my log file

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - (no file)
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: (no name) - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76EAE03C-F2B1-4397-97E8-390920B7C2DC} - (no file)
O2 - BHO: (no name) - {8A8F5616-35CF-4C44-9DC0-652E548C3C4b} - C:\WINDOWS\system32\otyyltns.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\setdrv32.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Windows System] gkukxpvp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: Ali Baba Slots TM by pogo -
O16 - DPF: Armored Attack by pogo -
O16 - DPF: Big Shot Roulette TM by pogo -
O16 - DPF: Blackjack by pogo -
O16 - DPF: Buckaroo Blackjack TM by pogo -
O16 - DPF: Checkers by pogo -
O16 - DPF: Command and Conquer Comanche by pogo -
O16 - DPF: Dominoes by pogo -
O16 - DPF: EZ Win Bingo by pogo -
O16 - DPF: Greenback Bayou by pogo -
O16 - DPF: Hearts by pogo -
O16 - DPF: High Stakes Poker by pogo -
O16 - DPF: High Stakes Pool by pogo -
O16 - DPF: Its Outta Here 2 by pogo -
O16 - DPF: Jigsaw Detective by pogo -
O16 - DPF: Jokers Wild Poker by pogo -
O16 - DPF: Jungle Gin by pogo -
O16 - DPF: Keno by pogo -
O16 - DPF: Lottso by pogo -
O16 - DPF: Mah Jong Garden by pogo -
O16 - DPF: Multiline Slots by pogo -
O16 - DPF: NASCAR Web Racing by pogo -
O16 - DPF: Pai Gow by pogo -
O16 - DPF: Payday FreeCell by pogo -
O16 - DPF: Pebble Beach 3 Hole Challenge by pogo -
O16 - DPF: Pebble Beach Golf by pogo -
O16 - DPF: Perfect Pair Solitaire by pogo -
O16 - DPF: Perfect Passer by pogo -
O16 - DPF: Phlinx by pogo -
O16 - DPF: Pinochle by pogo -
O16 - DPF: Pirate's Gold by pogo -
O16 - DPF: Pop Fu by pogo -
O16 - DPF: Poppit TM by pogo -
O16 - DPF: Quick Shot by pogo -
O16 - DPF: Ricochet by pogo -
O16 - DPF: SciFi Slots by pogo -
O16 - DPF: Showbiz Slots 2 by pogo -
O16 - DPF: Spades by pogo -
O16 - DPF: Spider Solitaire by pogo -
O16 - DPF: Squelchies by pogo -
O16 - DPF: Sweet Tooth TM by pogo -
O16 - DPF: Tank Hunter by pogo -
O16 - DPF: Texas Hold'em Poker by pogo -
O16 - DPF: The Sims Pinball by pogo -
O16 - DPF: Top Down Baseball Challenge by pogo -
O16 - DPF: Tri-Peaks by pogo -
O16 - DPF: Tumble Bees by pogo -
O16 - DPF: Turbo 21 TM by pogo -
O16 - DPF: Vert Skater by pogo -
O16 - DPF: Video Poker by pogo -
O16 - DPF: Word Whomp by pogo -
O16 - DPF: Word Whomp Whackdown by pogo -
O16 - DPF: WordJong by pogo -
O16 - DPF: World Class Solitaire by pogo -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} -
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} -
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} -
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E12F0983-F19C-4A7C-A7A7-CD8F15EAEB21} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{28D59922-6E28-42FA-B1D6-99AFA4FDCE3D}: NameServer = 198.164.4.62 198.164.30.62
O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll
O21 - SSODL: IEFilter - {EDD2B86A-3686-4CD1-8A7E-70F3A7CDE287} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT© SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #1 on:** January 16, 2006, 12:13:49 AM »

Can you do the following please

I need you too disable your SpywareProtections until you are clean
They may, and probably will interfere with and fixes we are to try

Open Spybot>>Click MODE>>Advanced mode
Ok the prompt
Click on TOOLS in the bottom left>>Then click Resident
Uncheck only "Resident TeaTimer" on the right hand side
Allow the change and then close Spybot

Open Spysweeper, disable any that apply
click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

I have never use Pest Patrol, but open it and disable it's realtime protections

Reboot the computer afterwards

Come back here and post a fresh hijackthis log, Include the WHOLE log, which includes the top header
Hijackthis version and operating system

flipper1 · « **Reply #2 on:** January 16, 2006, 04:30:05 PM »

Logfile of HijackThis v1.99.1
Scan saved at 5:15:50 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76EAE03C-F2B1-4397-97E8-390920B7C2DC} - (no file)
O2 - BHO: (no name) - {8A8F5616-35CF-4C44-9DC0-652E548C3C4b} - C:\WINDOWS\system32\otyyltns.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\setdrv32.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - HKLM\..\RunServices: [Microsoft Windows System] gkukxpvp.exe
O4 - Startup: LimeWire On Startup.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: Ali Baba Slots TM by pogo -
O16 - DPF: Armored Attack by pogo -
O16 - DPF: Big Shot Roulette TM by pogo -
O16 - DPF: Blackjack by pogo -
O16 - DPF: Buckaroo Blackjack TM by pogo -
O16 - DPF: Checkers by pogo -
O16 - DPF: Command and Conquer Comanche by pogo -
O16 - DPF: Dominoes by pogo -
O16 - DPF: EZ Win Bingo by pogo -
O16 - DPF: Greenback Bayou by pogo -
O16 - DPF: Hearts by pogo -
O16 - DPF: High Stakes Poker by pogo -
O16 - DPF: High Stakes Pool by pogo -
O16 - DPF: Its Outta Here 2 by pogo -
O16 - DPF: Jigsaw Detective by pogo -
O16 - DPF: Jokers Wild Poker by pogo -
O16 - DPF: Jungle Gin by pogo -
O16 - DPF: Keno by pogo -
O16 - DPF: Lottso by pogo -
O16 - DPF: Mah Jong Garden by pogo -
O16 - DPF: Multiline Slots by pogo -
O16 - DPF: NASCAR Web Racing by pogo -
O16 - DPF: Pai Gow by pogo -
O16 - DPF: Payday FreeCell by pogo -
O16 - DPF: Pebble Beach 3 Hole Challenge by pogo -
O16 - DPF: Pebble Beach Golf by pogo -
O16 - DPF: Perfect Pair Solitaire by pogo -
O16 - DPF: Perfect Passer by pogo -
O16 - DPF: Phlinx by pogo -
O16 - DPF: Pinochle by pogo -
O16 - DPF: Pirate's Gold by pogo -
O16 - DPF: Pop Fu by pogo -
O16 - DPF: Poppit TM by pogo -
O16 - DPF: Quick Shot by pogo -
O16 - DPF: Ricochet by pogo -
O16 - DPF: SciFi Slots by pogo -
O16 - DPF: Showbiz Slots 2 by pogo -
O16 - DPF: Spades by pogo -
O16 - DPF: Spider Solitaire by pogo -
O16 - DPF: Squelchies by pogo -
O16 - DPF: Sweet Tooth TM by pogo -
O16 - DPF: Tank Hunter by pogo -
O16 - DPF: Texas Hold'em Poker by pogo -
O16 - DPF: The Sims Pinball by pogo -
O16 - DPF: Top Down Baseball Challenge by pogo -
O16 - DPF: Tri-Peaks by pogo -
O16 - DPF: Tumble Bees by pogo -
O16 - DPF: Turbo 21 TM by pogo -
O16 - DPF: Vert Skater by pogo -
O16 - DPF: Video Poker by pogo -
O16 - DPF: Word Whomp by pogo -
O16 - DPF: Word Whomp Whackdown by pogo -
O16 - DPF: WordJong by pogo -
O16 - DPF: World Class Solitaire by pogo -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} -
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} -
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} -
O16 - DPF: {AB9820A0-02A9-11D5-A72F-004F4E002BD6} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E12F0983-F19C-4A7C-A7A7-CD8F15EAEB21} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{28D59922-6E28-42FA-B1D6-99AFA4FDCE3D}: NameServer = 198.164.4.62 198.164.30.62
O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll
O21 - SSODL: IEFilter - {EDD2B86A-3686-4CD1-8A7E-70F3A7CDE287} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT© SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

sorry about that

guestolo · « **Reply #3 on:** January 16, 2006, 05:32:10 PM »

Can you do the following please, I want to check on something

From below, Download and UNZIP the contents to your desktop
Findit.zip
So you now have Findit.bat and Findit3.bat extracted

Double click on Findit.bat
A text file will open, copy and paste the contents back here please

Do the same with Findit3.bat

flipper1 · « **Reply #4 on:** January 16, 2006, 06:33:15 PM »

Volume in drive C has no label.
Volume Serial Number is 9CC9-5B23

Directory of C:\WINDOWS\system32

Directory of C:\Documents and Settings\shelly\Local Settings\Temporary Internet Files\Content.IE5\29PIZITO

Volume in drive C has no label.
Volume Serial Number is 9CC9-5B23

Directory of C:\WINDOWS\system32

Directory of C:\Documents and Settings\shelly\Local Settings\Temporary Internet Files\Content.IE5\29PIZITO

there it is sorry i take so long i keep getting booted from internet explorer

guestolo · « **Reply #5 on:** January 16, 2006, 06:45:22 PM »

Umm, I wanted you too save those files and unzip them to your desktop
You selected to OPEN them rather that SAVE them
Please do the following

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as search.bat

Save this file on the desktop

Code: [Select]

@echo off
cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

Double click on search.bat
A text file will open, it will be long
I want to see the whole thing
In the text file go to EDIT>>Select all
EDIT>>COPY

That should copy the whole contents, come back here and paste the contents in your next reply

flipper1 · « **Reply #6 on:** January 16, 2006, 07:00:57 PM »

Volume in drive C has no label.
Volume Serial Number is 9CC9-5B23

Directory of C:\WINDOWS\system32

EDIT>>>Thanks, I've saved the info, I'll post what I needed later
<guestolo>

guestolo · « **Reply #7 on:** January 16, 2006, 07:20:36 PM »

OK, I see you now have Ewido's installed
It's a good program, but can you refrain any further installing any new software unless asked or until we get you clean

Leave Ewido installed, but I want to remove the Guard so it won't interfere
Open Ewido, under the main screen under Additional
Remove Guard
Reboot if prompted

Download and Install
Windows Cleanup! 4.0
Don't run it yet

Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/

After it is updated close it for now, we'll need it later

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Please download [color=\"red\"]VundoFix.exe[/color][/url] to your desktop.

=Double-click VundoFix.exe to run it.
=Click the Scan for Vundo button.
=Once it's done scanning, click the Remove Vundo button.
=You will receive a prompt asking if you want to remove the files, click YES
=Once you click yes, your desktop will go blank as it starts removing Vundo.
=When completed, it will prompt that it will shutdown your computer, click OK.
=Turn your computer back on.
[/list]RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Remain in safe mode
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections

Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {76EAE03C-F2B1-4397-97E8-390920B7C2DC} - (no file)
O2 - BHO: (no name) - {8A8F5616-35CF-4C44-9DC0-652E548C3C4b} - C:\WINDOWS\system32\otyyltns.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\setdrv32.dll

O4 - HKLM\..\RunServices: [Microsoft Windows System] gkukxpvp.exe

Put a tick next to ALL the 016 entries

O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll
O21 - SSODL: IEFilter - {EDD2B86A-3686-4CD1-8A7E-70F3A7CDE287} - C:\WINDOWS\system32\IEFilter.dll

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Back in windows
I need to see the following
1. Run another System scan and Save logfile with Hijackthis and post the log
2. Post the report you saved earlier with Ewidos
3. Post the contents of C:\vundofix.txt

flipper1 · « **Reply #8 on:** January 16, 2006, 09:07:02 PM »

Logfile of HijackThis v1.99.1
Scan saved at 9:59:01 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\setdrv32.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - Startup: LimeWire On Startup.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT© SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         9:47:56 PM, 1/16/2006
+ Report-Checksum:      610F25F5

+ Scan result:

   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060109-004948-515.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060109-005025-262.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060116-173300-489.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060116-173358-766.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060116-174647-683.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060116-183220-697.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Battlefield 1942 CD-KEY Generator.exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Norton Anti-Virus 2004 Reg-Code Generator (WORKING!!).exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Norton AntiVirus 2004 Pro Activation Key & Serial.exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Norton Antivirus 2004 PRO Reg-Code Generator (WORKING!!).exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Norton Internet Security Reg-Code Generator (WORKING!!).exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Norton SystemWorks 2004 Pro Reg-Code Generator.exe -> Worm.Apsiv : Cleaned with backup
   C:\Documents and Settings\shelly\Shared\Windows XP Pro ACTIVATION-KEY GENERATOR !!!.exe -> Worm.Apsiv : Cleaned with backup
   C:\WINDOWS\system32\setdrv32.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\WINDOWS\system32\__sys.exe -> Worm.Apsiv : Cleaned with backup

::Report End

VundoFix V4.0

Listing files found while scanning....

VundoFix V4.0

Listing files found while scanning....

VundoFix V4.0

Listing files found while scanning....

guestolo · « **Reply #9 on:** January 16, 2006, 09:55:30 PM »

Hi again flipper1

Can you do the following please
Open Hijackthis>>Open misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list to desktop and then copy and paste back here the whole contents please

flipper1 · « **Reply #10 on:** January 17, 2006, 05:25:20 AM »

Ability Office 2002
Ad-aware 6 Professional
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AOpen Multimedia Utilities
Avance AC'97 Audio
AVG 6.0 Anti-Virus - FREE Edition
BitTorrent 3.4.2
BPS Spyware-Adware Remover 8.2.0.2
Carnival Cruise Lines Tycoon 2005 - Island Hopping
CCleaner (remove only)
CleanUp!
Digital Patrol 4.10.17
DivX Player
DivX Pro Trial
Elecard MPEG-2 Decoder&Streaming Pack
ewido anti-malware
GameSpy Arcade
GoldWave v5.10
HijackThis 1.99.1
Historywasherpro.com
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
iClean
InfoProcess AntiHook 2.5 (Build 12)
iPhoto Plus 4
J2SE Runtime Environment 5.0 Update 6
Kill Docs
Lexmark 730 Series
Lexmark X73
LimeWire 4.9.30
Logitech QuickCam
Macromedia Flash Player 8
Macromedia Shockwave Player
Mall Of America Tycoon
Mall Tycoon
Maxell CreateIt
MGI PhotoSuite 8.1 (Remove Only)
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft PowerPoint Viewer 97
Microsoft Windows XP Video Decoder Checkup Utility
Miss Bingo
Monopoly
Mozilla Firefox (1.0.6)
MSN Messenger 7.5
MSN Music Assistant
MSN Toolbar
Mustek Scanner Solutions for 600 III EP Plus v3.0
Nero - Burning Rom
NVIDIA Drivers
NVIDIA DVD Decoder
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
Ocean Aquarium 3D Deluxe
Ocean Aquarium 3D Deluxe v1 Screen Saver
OpenMG Limited Patch 4.3-05-10-05-01
OpenMG Secure Module 4.3.00
PConPoint v1.1
Photo Explosion SE
PhotoShow Express 3
Railroad Tycoon II - Platinum
RCT3 Soaked
RealArcade
RealPlayer
Registry Mechanic
Roll
RollerCoaster Tycoon 2
RollerCoaster Tycoon 2: Time Twister
RollerCoaster Tycoon 2: Wacky Worlds
RollerCoaster Tycoon® 3
Royal Vegas Online Casino
SeaStorm 3D Screensaver 1.5
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Shizmoo Web Games (Uproar)
Shockwave
SmileyDistrict Optimizer
SonicStage 3.3
Sony ACID Music Studio 5.0
Spybot - Search & Destroy 1.3
SpySubtract
Storybook Weaver Deluxe
Survivor (tm)
The Game Of Life
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
WinAce Archiver
Window Washer 5
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series Winter Fun Pack
Windows Registry Repair Pro
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Yahoo! Messenger
your Poker Room
Zoo Tycoon: Complete Collection

guestolo · « **Reply #11 on:** January 17, 2006, 10:40:56 AM »

That log I saved earlier, Identified some bad files
Your versions of AVG and Spybot are out of date
We'll deal with that later
Don't install any other AV software yet

Print this out again or save too a text file for use in safe mode

Can you do the following please
Reboot into safe mode

Access your Add/Remove programs via control panel
Remove SmileyDistrict Optimizer

Stay in safe mode
Navigate to the following folder
C:\WINDOWS\system32
Open the System32 folder

Inside that folder, delete the following files if found
======================
combo.exe
cadrpuyy.exe
fijoxjpf.exe
hpxxfaaa.exe
myuqaaaa.exe
nppktrsr.exe
otyyltns.dll
setdrv32.dll
__sys.exe
======================

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Let it finish scanning
When it's done, decline to log off or restart the computer

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\setdrv32.dll

O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

Post back the following please
1. Post back a fresh hijackthis log
2. Post the full report from Panda's

flipper1 · « **Reply #12 on:** January 17, 2006, 02:38:48 PM »

Logfile of HijackThis v1.99.1
Scan saved at 3:37:13 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - Startup: LimeWire On Startup.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28D59922-6E28-42FA-B1D6-99AFA4FDCE3D}: NameServer = 198.164.4.62 198.164.30.62
O23 - Service: AVG6 Service (AvgServ) - GRISOFT© SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\shelly\My Documents\Unzipped\hijackthis[1]\backups\backup-20060116-215404-441.dll
Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]

guestolo · « **Reply #13 on:** January 17, 2006, 02:51:45 PM »

Good work, any problem deleting any of those files in the System32 folder?

Can you do the following please
Your version of AVG Anti-Virus is way out of date
Can you go to this link please
http://free.grisoft.com/doc/2/lng/us/tpl/v5

Scroll down and click on the following link
AVG Free for Windows installation files
File Version
avg71free_375a691.exe <-this one, or similiar
Save the installer to desktop, don't install it yet

Access your Add/Remove programs and remove

AVG 6.0 Anti-Virus - FREE Edition
Reboot the computer after it is removed

Back in Windows
Install AVG7 (The installer you saved to desktop)
Follow the prompts to install, when it's done, ensure it is updated, run a complete system
Let it finish

When it's done, your version of Spybot is out of date
Back in Add/REmove programs
Remove Spybot - Search & Destroy 1.3
Reboot if prompted

Back in Windows
Download Spybot 1.4 from
HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Restart the computer in any RED entries were found and fixed
Check for updates every couple of weeks and do the above

I'm concerned about your versions of Ad-Aware
You have both
Ad-aware 6 Professional
Ad-Aware SE Personal
It's not a good idea to install 2 versions together
Since you had the pro version, were you qualified for an upgrade?
Or were you not planning on renewing your subscription

Come back here and let me know how everthings running
Let me know the info about Ad-Aware

flipper1 · « **Reply #14 on:** January 17, 2006, 04:39:20 PM »

everything seems to be running smoothly....i got rid of one of the adawares ...thank you for all your help.....i'll probably be back in the future lol...thanks again

TheTechGuide Forum

News:

Author Topic: hijacked (Read 1782 times)

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked

guestolo

hijacked

flipper1

hijacked