Author Topic: smartsecurity - another victim (Read 2900 times)

ckn · « **on:** May 06, 2005, 09:00:53 PM »

here is my log. please help. i tried to fix it myself, but it keeps coming back. i got this log after doing msconfig and restarting. please help.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:36 PM, on 5/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\jet95\JETSTAT.EXE
C:\Program Files\HJT\HijackThis.exe

F3 - REG:win.ini: load=
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

guestolo · « **Reply #1 on:** May 07, 2005, 01:32:49 AM »

Can you do the following please, using msconfig can hide malicious activity, it's important I see everything
Can you go back to msconfig and enable all startup entries
Do a Normal startup

Ok it but decline to restart the computer afterwards
Instead run another scan with Hijackthis and post a fresh log

ckn · « **Reply #2 on:** May 07, 2005, 09:18:06 PM »

[quote name=\'guestolo\' date=\'May 7 2005, 12:32 AM\']Can you do the following please, using msconfig can hide malicious activity, it's important I see everything
Can you go back to msconfig and enable all startup entries
Do a Normal startup

Ok it but decline to restart the computer afterwards
Instead run another scan with Hijackthis and post a fresh log

[post=\"39478\"]<{POST_SNAPBACK}>[/post]

[/quote]

Thanks. Here is the new HJT log. (I think I followed allthe instructions). Please help, we are desperate and afraid....

Logfile of HijackThis v1.99.1
Scan saved at 10:12:41 PM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\jet95\JETSTAT.EXE
C:\DOCUME~1\andrew\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\andrew\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

==============================================

I also run MAV 6.1.7 to check for viruses (I opened IE and got the about: blank home page, so I knew something was wrong). Here is the virus log:

File C:\WINDOWS\System32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\spoolsrv32.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\picsvr\picsvr.exe infected by "Trojan-Downloader.Win32.Delmed.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\picsvr\picsvr.exe infected by "Trojan-Downloader.Win32.Delmed.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\spoolsrv32.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File System Found infected by "mxoaldr Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "PerfectNav Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "GrokSter Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_80.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_88.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_94.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\aornutgw.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\Clifford Uninstall.exe infected by "Virus.Win9x.CIH.dam" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\dknqipxf.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\jqxnaaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\winrokup.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\27.exe\27.exe infected by "Trojan-Downloader.Win32.RPV.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\983723.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\btv_1001.exe infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\cpr_in.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\gstin.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\iB9.tmp infected by "not-a-virus:AdWare.SurfSide.d" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\SSK_B5.EXE infected by "Trojan-Downloader.Win32.Small.qn" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\tmpD.tmp infected by "Trojan-Downloader.Win32.Small.aql" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\UpdatedUpdaterInstall.exe infected by "Trojan-Downloader.Win32.Small.alx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\Temp\uppicsvr.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\andrew\LOCALS~1\TEMPOR~1\Content.IE5\8KIF51P2\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet9.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Desktop\HSFix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

File C:\Documents and Settings\andrew\Desktop\HSFix.zip tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\27.exe\27.exe infected by "Trojan-Downloader.Win32.RPV.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\983723.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\btv_1001.exe infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\cpr_in.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\gstin.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\iB9.tmp infected by "not-a-virus:AdWare.SurfSide.d" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\SSK_B5.EXE infected by "Trojan-Downloader.Win32.Small.qn" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\tmpD.tmp infected by "Trojan-Downloader.Win32.Small.aql" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\UpdatedUpdaterInstall.exe infected by "Trojan-Downloader.Win32.Small.alx" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temp\uppicsvr.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\8KIF51P2\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.

File C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\Program Files\Kazaa\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-3826821714-869365757-1532886375-1005\Dc80.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-3826821714-869365757-1532886375-1005\Dc84.exe infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075736.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075740.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075741.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075746.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075748.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075763.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075764.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075771.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP804\A0075772.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075781.exe infected by "not-a-virus:AdWare.AdWast.a" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075783.dll infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075803.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075814.dll infected by "not-a-virus:AdWare.Altnet.c" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075822.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075823.exe infected by "not-a-virus:AdWare.WebRebates.c" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075824.exe infected by "not-a-virus:AdWare.WebRebates.f" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075828.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP806\A0075829.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP807\A0075871.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP807\A0075872.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP809\A0075896.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP809\A0075907.dll infected by "not-a-virus:AdWare.WebSearch.aa" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075911.dll infected by "Trojan-Downloader.Win32.Adroar" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075913.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075914.exe infected by "not-a-virus:AdWare.WebSearch.n" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075915.dll infected by "not-a-virus:AdWare.WebSearch.aa" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075918.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.m" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075925.exe infected by "not-a-virus:AdWare.TotalVelocity.aj" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075926.dll infected by "not-a-virus:AdWare.TotalVelocity.v" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075927.dll infected by "not-a-virus:AdWare.TotalVelocity.aj" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075928.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP810\A0075938.exe infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP845\A0076123.exe infected by "Trojan.Win32.Agent.cd" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP846\A0077118.exe infected by "Trojan.Win32.Agent.cd" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078398.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078447.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078448.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078450.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078475.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078477.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078478.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078479.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078480.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078481.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078483.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078485.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078487.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP848\A0078488.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078718.dll infected by "not-a-virus:AdWare.WinAD.ag" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078719.exe infected by "not-a-virus:AdWare.WinAD.af" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078720.exe infected by "not-a-virus:AdWare.WinAD.ai" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078721.cfg infected by "Trojan-Downloader.Win32.RVP.e" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078723.exe infected by "not-a-virus:AdWare.ToolBar.SideBar.a" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078724.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078725.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078726.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP851\A0078727.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP852\A0078740.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078757.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078758.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078759.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078760.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078761.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078762.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078763.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}\RP853\A0078764.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\temp\Bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\temp\CtxPlus.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_80.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_88.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_94.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\aornutgw.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\Clifford Uninstall.exe infected by "Virus.Win9x.CIH.dam" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dknqipxf.exe infected by "Trojan.Win32.StartPage.he" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\jqxnaaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsv.ocx infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsvs.dll infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\nsvsvc\nsvsvc.exe infected by "not-a-virus:AdWare.DelphinMedia.Viewer.f" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\winrokup.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

guestolo · « **Reply #3 on:** May 08, 2005, 04:49:39 PM »

Can you do me a favor before we try some fixes
Open Hijackthis>>Open Misc tools sections>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and post it back here

Then we'll get to work on your log

ckn · « **Reply #4 on:** May 08, 2005, 07:28:33 PM »

[quote name=\'guestolo\' date=\'May 8 2005, 03:49 PM\']Can you do me a favor before we try some fixes
Open Hijackthis>>Open Misc tools sections>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and post it back here

Then we'll get to work on your log

[post=\"39781\"]<{POST_SNAPBACK}>[/post]

[/quote]

Thank you again. Here is the log I got following your instructions

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adware Patrol 1.0.8
AlertSpy 1.0.8
Avance AC'97 Audio
Big Action Construction
BigFix
Browser Helper
Chessmaster 10th Edition
Coelho Sabido e a Estrela Cintilante
CompuServe
Conexant SoftK56 Modem(M)
Curious George Learns Phonics
DELL TrueMobile 1180 Wireless USB
Display Utility
FlashTrack Uninstall
GameSpy Arcade
Google Toolbar for Internet Explorer
Gutterball
HijackThis 1.99.1
Intel® Extreme Graphics Driver Software
Internet Chess
iPod mini 1.0 for Windows User Guide
iPod mini Software Updater 1.0
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_02
JetSuite Pro for the HP LaserJet 3150
JumpStart Advanced 1st Grade
JumpStart Phonics
KODAK Picture CD
Learn to Play Chess with Fritz and Chesster
Learn to Play Chess with Fritz and Chesster 2
LEGO My Style Preschool
Macromedia Shockwave Player
Math Missions Grades K-2
McAfee Firewall
McAfee VirusScan
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Works 6.0
Mozilla Firefox (1.0)
MSN Messenger 6.2
Outlook Express Q837009
Playhouse Disney's Stanley Wild for Sharks
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit Playtime for Baby
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit Toddler
Reader Rabbit's Math Ages 6-9
RealPlayer
Rescue Heroes Hurricane Havoc
Rescue Heroes Meteor Madness
Rescue Heroes Mission Select
Rescue Heroes(tm) Lava Landslide
Rescue Heroes(tm) Tremor Trouble
Shockwave
Spinner the Space Kid (remove only)
Spybot - Search & Destroy 1.3
Viewpoint Media Player (Remove Only)
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
Yahoo! Companion
Zoombinis Logical Journey(tm)

guestolo · « **Reply #5 on:** May 08, 2005, 07:59:06 PM »

I expected too see an entry in the Uninstall manager list

Can we try the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download the Pocket Killbox
UNZIP it to a folder of your choice

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Also, know how to start into safe mode in advance, if unsure, look at the link I supplied ahead of time

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\srpcsrv32.dll

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot afterwards

C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\NDNuninstall4_80.exe
C:\WINDOWS\NDNuninstall4_88.exe

C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe

C:\WINDOWS\System32\aornutgw.exe
C:\WINDOWS\System32\Clifford Uninstall.exe
C:\WINDOWS\System32\dknqipxf.exe
C:\WINDOWS\System32\jqxnaaaa.exe
C:\WINDOWS\System32\txfdb32.dll
C:\WINDOWS\System32\winrokup.dll

C:\WINDOWS\System32\wldr.dll
C:\DOCUME~1\andrew\LOCALS~1\Temp\27.exe\27.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\983723.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\btv_1001.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\cpr_in.exe

C:\DOCUME~1\andrew\LOCALS~1\Temp\gstin.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\iB9.tmp
C:\DOCUME~1\andrew\LOCALS~1\Temp\PerfectNavUninstall.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\SSK_B5.EXE
C:\DOCUME~1\andrew\LOCALS~1\Temp\tmpD.tmp
C:\DOCUME~1\andrew\LOCALS~1\Temp\UpdatedUpdaterInstall.exe
C:\DOCUME~1\andrew\LOCALS~1\Temp\uppicsvr.exe

C:\DOCUME~1\andrew\LOCALS~1\TEMPOR~1\Content.IE5\8KIF51P2\file[1].exe
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
C:\Program Files\Kazaa\PerfectNavUninstall.exe

When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
When restarting try and restart the computer into SAFE MODE by tapping the F8 key as the system is restarting, right after the single post beep after the bios loads

In safe mode

Find and delete this folder if it exists
C:\WINDOWS\System32\picsvr <-folder

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

In Safe mode
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Go to START>>RUN>>type in
msconfig
Hit OK
Ensure that Normal startup is checked
OK it and close

Restart back to Normal mode

In Normal mode run another scan with Hijackthis and post a fresh log

guestolo · « **Reply #6 on:** May 08, 2005, 08:30:53 PM »

I forgot to ask you to download this utility too
If you haven't started the fixes yet
Can you also

Download and save to desktop
WinsockXPfix.exe

Download it before doing the above fixes

After you have done the previous fixes
Double click to run WinsockXPfix.exe
With all browser windows closed, it will restart your computer

Afterwards post a fresh hijackthis log and the report from Ewidos

Guest · « **Reply #7 on:** May 08, 2005, 11:03:26 PM »

[quote name=\'guestolo\' date=\'May 8 2005, 07:30 PM\']I forgot to ask you to download this utility too
If you haven't started the fixes yet
Can you also

Download and save to desktop
WinsockXPfix.exe

Download it before doing the above fixes

After you have done the previous fixes
Double click to run WinsockXPfix.exe
With all browser windows closed, it will restart your computer

Afterwards post a fresh hijackthis log and the report from Ewidos

[post=\"39833\"]<{POST_SNAPBACK}>[/post]

[/quote]

Thanks. I downloaded and run winsockxfix after I was done with the above. (I had not seen your follow up).

Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:58:58 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\jet95\JETSTAT.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

===========================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         11:48:57 PM, 5/8/2005
+ Report-Checksum:      31BEE7C5

+ Date of database:      5/9/2005
+ Version of scan engine:   v3.0

+ Duration:            56 min
+ Scanned Files:         78234
+ Speed:            23.22 Files/Second
+ Infected files:         9
+ Removed files:         9
+ Files put in quarantine:      9
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\!Submit\aornutgw.exe -> TrojanDropper.Agent.ii -> Cleaned with backup
   C:\Program Files\Common Files\Java\flenclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\flnclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Fln\flnclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Fln\Uninst.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\WINDOWS\system32\gttapaaa.exe -> Spyware.Quaq -> Cleaned with backup
   C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
   C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
   C:\WINDOWS\system32\nsvsvc\nsvsvc.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup

::Report End

ak98 · « **Reply #8 on:** May 09, 2005, 10:02:59 PM »

just bumping up

Guest · « **Reply #9 on:** May 10, 2005, 07:56:05 PM »

guestolo · « **Reply #10 on:** May 10, 2005, 08:09:46 PM »

Sorry for the delay, can you let me know
Do you still have McAfee's AV and Firewall installed

Could you also post a fresh Hijackthis log

Guest · « **Reply #11 on:** May 21, 2005, 05:32:01 PM »

[quote name=\'guestolo\' date=\'May 10 2005, 07:09 PM\']Sorry for the delay, can you let me know
Do you still have McAfee's AV and Firewall installed

Could you also post a fresh Hijackthis log

[post=\"40196\"]<{POST_SNAPBACK}>[/post]

[/quote]

Back from China! Yes to both

Here is the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 6:30:20 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\jet95\JETSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jet95\JETSTAT.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

guestolo · « **Reply #12 on:** May 23, 2005, 05:48:06 AM »

The run entries for McAfee's are missing from the log

To ensure it's running properly
You should Uninstall McAfee's altogether and then reinstall it

That should ensure it is starting properly

Could you post a fresh hijackthis log afterwards, thanks

TheTechGuide Forum

News:

Author Topic: smartsecurity - another victim (Read 2900 times)

ckn

smartsecurity - another victim

guestolo

smartsecurity - another victim

ckn

smartsecurity - another victim

guestolo

smartsecurity - another victim

ckn

smartsecurity - another victim

guestolo

smartsecurity - another victim

guestolo

smartsecurity - another victim

Guest

smartsecurity - another victim

ak98

smartsecurity - another victim

Guest

smartsecurity - another victim

guestolo

smartsecurity - another victim

Guest

smartsecurity - another victim

guestolo

smartsecurity - another victim