Author Topic: My comp is infected T_T (Read 2243 times)

`anne · « **on:** May 14, 2005, 03:00:27 AM »

Hey u guys, well last night (FRIDAY THE 13th) my comp was working all well untill i opened it up this afternoon. My desktop pic has this on msg on it

WARNING!
YOU'RE IN DANGER!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!

i have no idea how to remove this from my desktop pic. Here is my Hijackthis log. Im a computer noob so i hope someone can help me out on how to delete this. I know i have a couple of viruses on my comp also. Because of this i tried to install Spyware doctor but it wont open up. Any spyware program i use wont open up. please help T_T

Logfile of HijackThis v1.99.1
Scan saved at 6:10:19 PM, on 14/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\aiepk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Xi\NetTransport 2\NetTransport.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\g\LOCALS~1\Temp\Rar$EX00.758\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.solid07.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 144.136.44.107:0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BHO - {00000015-A527-34E7-25C2-03A4E313B2E9} - c:\WINDOWS\SYSTEM32\winsrvs_1.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {4CA3918E-D923-27F2-776C-D2FDD5F29ADA} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: LBBHO Class - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [aiepk] C:\aiepk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Agent WebControl] C:\WINDOWS\System32\webvrite.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [adtgtkx] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [rtwleva] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [dfmgofv] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [tjjhxbb] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [gkrpree] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [tigipgt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [bytbivr] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [vtuvgss] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [mrovbsi] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [emnlwlx] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [rlxjwvt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [gnmsiyt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [farjrej] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [redbrgj] c:\windows\yoldois.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O21 - SSODL: WebControl Agent - {1B4690D8-20A2-4C6F-99A7-678A0038B35D} - C:\WINDOWS\System32\old2ator.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

guestolo · « **Reply #1 on:** May 14, 2005, 03:25:28 AM »

Could you Download and UNZIP to desktop or a folder
Get2.zip
so you now have Get2.bat extracted to the desktop
Doulble click on Get2.bat and a text file called Export2.txt will be produced
Copy and paste back Export2.txt also

`anne · « **Reply #2 on:** May 14, 2005, 03:30:50 AM »

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

here u go this was what was on the notepad of the Export 2

guestolo · « **Reply #3 on:** May 14, 2005, 04:11:18 AM »

Can you do the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download and save to desktop
Winsockfix XP
from the link

==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

Let's try some fixes now that we have the tools
But first, can you REDOWNLOAD Hijackthis from my signature below and save it too a permanent folder, don't run Hijackthis from your Temp directory

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Using Windows Explore, Find and delete these files or folders if found
FILES
c:\WINDOWS\SYSTEM32\winsrvs_1.dll <-file
C:\WINDOWS\System32\webvrite.exe
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\old2ator.dll
C:\WINDOWS\System32\spoolsrv32.exe <-notice the spelling, don't didn't anything else because it looks similiar
C:\WINDOWS\lbbho.dll
c:\windows\ijvchie.exe
c:\windows\yoldois.exe
C:\Program Files\Common Files\Java\bptre.exe
C:\Program Files\Common Files\Java\flncpy.exe

FOLDERS
c:\Program Files\Fln <-this folder

Stay in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

==Run Ewido, and run a full scan. Clean any infected files found, and save the log from the scan.

==Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.solid07.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BHO - {00000015-A527-34E7-25C2-03A4E313B2E9} - c:\WINDOWS\SYSTEM32\winsrvs_1.dll

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {4CA3918E-D923-27F2-776C-D2FDD5F29ADA} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll

O2 - BHO: LBBHO Class - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"

O4 - HKLM\..\Run: [Agent WebControl] C:\WINDOWS\System32\webvrite.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\Run: [adtgtkx] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [rtwleva] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [dfmgofv] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [tjjhxbb] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [gkrpree] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [tigipgt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [bytbivr] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [vtuvgss] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [mrovbsi] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [emnlwlx] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [rlxjwvt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [gnmsiyt] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [farjrej] c:\windows\ijvchie.exe
O4 - HKCU\..\Run: [redbrgj] c:\windows\yoldois.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O21 - SSODL: WebControl Agent - {1B4690D8-20A2-4C6F-99A7-678A0038B35D} - C:\WINDOWS\System32\old2ator.dll

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode

Don't open any browsers yet
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"

Run the Fix from Winsockfix XP
When it's done it should restart your computer or Restart anyways

Post back a fresh Hijackthis log and the Report from Ewidos
Also post the log from RKFiles.zip>>C:\Log.txt

guestolo · « **Reply #4 on:** May 14, 2005, 04:23:27 AM »

Forgot to add this anne
Once you have done the above

Look for this file and delete it if it exists
C:\WINDOWS\Web\desktop.html

Also, Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

`anne · « **Reply #5 on:** May 14, 2005, 08:26:36 AM »

The hi-jack list

Logfile of HijackThis v1.99.1
Scan saved at 11:24:22 PM, on 14/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\aiepk.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\g\My Documents\STuff\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 144.136.44.107:0
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [aiepk] C:\aiepk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Ewidos report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:32:19 PM, 14/05/2005
+ Report-Checksum:      3C298B20

+ Date of database:      14/05/2005
+ Version of scan engine:   v3.0

+ Duration:            94 min
+ Scanned Files:         156104
+ Speed:            27.43 Files/Second
+ Infected files:         78
+ Removed files:         39
+ Files put in quarantine:      39
+ Files that could not be opened:   0
+ Files that could not be cleaned:   39

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   D:\
   C:\
   D:\

+ Scan result:
   C:\WINDOWS\SYSTEM32\ukbovaaa.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\SYSTEM32\scombop.exe -> Trojan.Small.ej -> Cleaned with backup
   C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> TrojanDownloader.Adload.g -> Cleaned with backup
   C:\WINDOWS\SYSTEM32\DATCHECK.EXE -> Trojan.KeyPanic.a -> Cleaned with backup
   C:\WINDOWS\bdhsgqrp.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\WINDOWS\fmolzhql.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\WINDOWS\dxrijkca.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\WINDOWS\LastGood\webhdll.dll -> Spyware.WebHancer -> Cleaned with backup
   C:\WINDOWS\LastGood\whInstaller.exe -> Spyware.WebHancer -> Cleaned with backup
   C:\WINDOWS\LastGood\biprep.exe -> Trojan.Bispy.B -> Cleaned with backup
   C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINDOWS\whInstaller.exe -> Spyware.WebHancer -> Cleaned with backup
   C:\Program Files\Common Files\WinTools\WToolsA(2).exe -> Spyware.Wintol.i -> Cleaned with backup
   C:\Program Files\Common Files\Java\Xcpy1.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\xclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\Xcpy1.cfg -> Spyware.FlashTrack.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\fclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\bpt.cfg -> Spyware.Broadcap.a -> Cleaned with backup
   C:\Program Files\Common Files\Java\flenclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\Common Files\Java\flnclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\Program Files\bpt\bpt.exe -> Spyware.Broadcap.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183600.EXE -> Spyware.Toolbar.MyWay.c -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183601.DLL -> Spyware.MyWay.e -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183604.exe -> Spyware.Broadcap.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183605.exe -> Spyware.Broadcap.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0183686.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0184677.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0185687.dll -> TrojanDownloader.Adload.g -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186710.dll -> Spyware.Ramdud -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186712.exe -> Trojan.Small.ej -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186715.exe -> Spyware.FindSpy.e -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186717.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186718.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186720.exe -> Spyware.Broadcap.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186721.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186723.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\WINDOWS\SYSTEM32\ukbovaaa.exe -> Spyware.Hijacker.Generic -> Error during cleaning
   C:\WINDOWS\SYSTEM32\scombop.exe -> Trojan.Small.ej -> Error during cleaning
   C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> TrojanDownloader.Adload.g -> Error during cleaning
   C:\WINDOWS\SYSTEM32\DATCHECK.EXE -> Trojan.KeyPanic.a -> Error during cleaning
   C:\WINDOWS\bdhsgqrp.dll -> Trojan.TalkStocks.a -> Error during cleaning
   C:\WINDOWS\fmolzhql.dll -> Trojan.TalkStocks.a -> Error during cleaning
   C:\WINDOWS\dxrijkca.dll -> Trojan.TalkStocks.a -> Error during cleaning
   C:\WINDOWS\LastGood\webhdll.dll -> Spyware.WebHancer -> Error during cleaning
   C:\WINDOWS\LastGood\whInstaller.exe -> Spyware.WebHancer -> Error during cleaning
   C:\WINDOWS\LastGood\biprep.exe -> Trojan.Bispy.B -> Error during cleaning
   C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Error during cleaning
   C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Error during cleaning
   C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Error during cleaning
   C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Error during cleaning
   C:\WINDOWS\whInstaller.exe -> Spyware.WebHancer -> Error during cleaning
   C:\Program Files\Common Files\WinTools\WToolsA(2).exe -> Spyware.Wintol.i -> Error during cleaning
   C:\Program Files\Common Files\Java\Xcpy1.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\Program Files\Common Files\Java\xclean.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\Program Files\Common Files\Java\Xcpy1.cfg -> Spyware.FlashTrack.b -> Error during cleaning
   C:\Program Files\Common Files\Java\fclean.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\Program Files\Common Files\Java\bpt.cfg -> Spyware.Broadcap.a -> Error during cleaning
   C:\Program Files\Common Files\Java\flenclean.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\Program Files\Common Files\Java\flnclean.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\Program Files\bpt\bpt.exe -> Spyware.Broadcap.a -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183600.EXE -> Spyware.Toolbar.MyWay.c -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183601.DLL -> Spyware.MyWay.e -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183604.exe -> Spyware.Broadcap.a -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP411\A0183605.exe -> Spyware.Broadcap.a -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0183686.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0184677.dll -> TrojanDownloader.Agent.le -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0185687.dll -> TrojanDownloader.Adload.g -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186710.dll -> Spyware.Ramdud -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186712.exe -> Trojan.Small.ej -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186715.exe -> Spyware.FindSpy.e -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186717.exe -> Spyware.Hijacker.Generic -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186718.exe -> Spyware.Hijacker.Generic -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186720.exe -> Spyware.Broadcap.a -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186721.exe -> Spyware.Broadcap.b -> Error during cleaning
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186723.exe -> Spyware.Broadcap.b -> Error during cleaning

(some stuff couldnt be cleaned =( ) wat do i do here..
::Report End

Log text

C:\Documents and Settings\g\My Documents\STuff\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\xvid.dll: UPX!
C:\WINDOWS\SYSTEM32\owyhdane.exe: UPX!
C:\WINDOWS\SYSTEM32\suokpaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\dtssource.ax: UPX!
C:\WINDOWS\SYSTEM32\scombo.exe: UPX!
C:\WINDOWS\SYSTEM32\scombopp.exe: UPX!
C:\WINDOWS\SYSTEM32\bxyeaaaa.exe: FSG!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Key2.txt: UPX!
C:\WINDOWS\IFinst27.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

guestolo · « **Reply #6 on:** May 14, 2005, 12:00:03 PM »

I am unsure if some of the files were cleaned or not, Ewido indicates both cases
Let's try the following
Open Ewido and Check for updates, in case there are any

* Please download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
To open a Notepad file
Go to START>>RUN>>type in notepad
Hit OK
Save this file

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths between dotted lines[/color]
=========================================
C:\WINDOWS\SYSTEM32\owyhdane.exe
C:\WINDOWS\SYSTEM32\suokpaaa.exe
C:\WINDOWS\SYSTEM32\scombo.exe
C:\WINDOWS\SYSTEM32\scombopp.exe
C:\WINDOWS\SYSTEM32\bxyeaaaa.exe
C:\WINDOWS\Key2.txt
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\SYSTEM32\ukbovaaa.exe
C:\WINDOWS\SYSTEM32\scombop.exe
C:\WINDOWS\SYSTEM32\srpcsrv32.dll
C:\WINDOWS\SYSTEM32\DATCHECK.EXE
C:\WINDOWS\bdhsgqrp.dll
C:\WINDOWS\fmolzhql.dll
C:\WINDOWS\dxrijkca.dll
C:\WINDOWS\LastGood\webhdll.dll
C:\WINDOWS\LastGood\whInstaller.exe
C:\WINDOWS\LastGood\biprep.exe
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\whInstaller.exe
C:\Program Files\Common Files\WinTools\WToolsA(2).exe
C:\Program Files\Common Files\Java\Xcpy1.exe
C:\Program Files\Common Files\Java\xclean.exe
C:\Program Files\Common Files\Java\Xcpy1.cfg
C:\Program Files\Common Files\Java\fclean.exe
C:\Program Files\Common Files\Java\bpt.cfg
C:\Program Files\Common Files\Java\flenclean.exe
C:\Program Files\Common Files\Java\flnclean.exe
C:\Program Files\bpt\bpt.exe
==========================================

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.[/color]

[color=\"purple\"]While in Safe Mode, please do the following:[/color]

In safe mode find and delete these folders if found
C:\Program Files\bpt <-this folder
C:\Program Files\Common Files\WinTools <-folder

Do another full scan with Ewido and save the report

Run RKFiles.bat again, save the log

Restart back to Normal mode

Run another scan with Hijackthis and post the fresh log
Also again, post the report from Ewidos

and post the log from RKFiles.bat

guestolo · « **Reply #7 on:** May 14, 2005, 05:53:28 PM »

Hi anne, I missed a couple steps with Killbox, could you look over what I suggested again
Sorry about that if you already started the fixes
I hope you caught on to what I missed and included them

I put these steps in
* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

`anne · « **Reply #8 on:** May 14, 2005, 07:12:38 PM »

THe hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:09:32 AM, on 15/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\aiepk.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Documents and Settings\g\My Documents\STuff\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 144.136.44.107:0
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [aiepk] C:\aiepk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         9:43:21 AM, 15/05/2005
+ Report-Checksum:      811C2354

+ Date of database:      14/05/2005
+ Version of scan engine:   v3.0

+ Duration:            35 min
+ Scanned Files:         74359
+ Speed:            34.80 Files/Second
+ Infected files:         24
+ Removed files:         24
+ Files put in quarantine:      24
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   D:\

+ Scan result:
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186739.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186740.exe -> Trojan.Small.ej -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186741.dll -> TrojanDownloader.Adload.g -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186742.EXE -> Trojan.KeyPanic.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186743.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186744.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186745.dll -> Trojan.TalkStocks.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186746.dll -> Spyware.WebHancer -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186747.exe -> Spyware.WebHancer -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186748.exe -> Trojan.Bispy.B -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186749.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186750.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186751.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186752.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186753.exe -> Spyware.WebHancer -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186754.exe -> Spyware.Wintol.i -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186755.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186756.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186757.cfg -> Spyware.FlashTrack.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186758.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186759.cfg -> Spyware.Broadcap.a -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186760.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186761.exe -> Spyware.Broadcap.b -> Cleaned with backup
   C:\System Volume Information\_restore{F5677CBC-22E5-4D8D-8861-EDD503911455}\RP412\A0186762.exe -> Spyware.Broadcap.a -> Cleaned with backup

::Report End

Rkfiles.bat log

C:\Documents and Settings\g\My Documents\STuff\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\xvid.dll: UPX!
C:\WINDOWS\SYSTEM32\dtssource.ax: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

For the killbox steps that you've mentioned i think i did those steps. Hopefully i did it correct lol T_T ( By the way thanks for helping i really appreciate it =)

guestolo · « **Reply #9 on:** May 14, 2005, 07:55:33 PM »

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

NOTE: I'm just double checking
This entry in your log
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 144.136.44.107:0
Indicates you are running through a Proxy Server, possibly with your ISP, which is located
TELSTRA INTERNET in Australia
Does this look right to you?

Also
This entry in your Log
C:\aiepk.exe
Is related too
Another IE Popup Killer
Do you still have it installed?

If your version of Windows is legit, why so far behind on Windows Updates???

`anne · « **Reply #10 on:** May 14, 2005, 08:43:25 PM »

Yes, my ISP is with Telstra in australia.

I dont think my windows xp is legitimate because the person who installed it in for me had a copied version..So im not sure whether i can install the Windows XP Service Pack 2 (SP2). I dont think i can. Also on the microsoft.com page it says that im missing the " Automatic update feature "

What should i do about the Windows Update problem?

Guest_raysdga_* · « **Reply #11 on:** May 14, 2005, 08:48:33 PM »

Hey anne im just curious what problem you are having with service pack 2. I have never heard of people having a problem with service packs just because there running copy of windows.

raysdga · « **Reply #12 on:** May 14, 2005, 08:52:01 PM »

Hey anne im just curious what problem you are having with service pack 2. I have never heard of people having a problem with service packs just because there running copy of windows.

`anne · « **Reply #13 on:** May 14, 2005, 09:04:12 PM »

hi raysdga, lol im not sure myself either. Dont u need the REAL windows xp cd to install the Windows XP Service Pack 2 (SP2)? My friend wants to send me the crack but i dont have the keygen for it.. ahh im so confused plus im no good at computers.. lol

raysdga · « **Reply #14 on:** May 14, 2005, 09:26:03 PM »

I don't understand either I'm running windows 2000 professional don't you need the cd key to even install the operating system? I'm running a crack of windows 2000 and a cd key that I found on the internet. I bought windows 98 but I didn't want to give the richest man in the world another 100$

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> I'm pretty sure I installed service pack 2 at one time with the crack but it just caused problems that was like years ago though. I installed service pack 4 on my computer and lost internet connection so just never bothered with that again. Somewhere bill gates is reading all of this sipping champagne just laughing his ass off.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

guestolo · « **Reply #15 on:** May 15, 2005, 09:52:34 AM »

Without having a legit copy of Windows I won't be able to help out much
Sorry, I don't endorse illegal software

Yes, there are crack utilities, but I don't get involved with it......

Just make sure you install SpywareBlaster and IE-Spyad and keep them updated

Get yourself a good free software firewall and turn the one off that XP provides
You only need one, I prefer Sygates, but you decide
You can find links HERE

Take care

TheTechGuide Forum

News:

Author Topic: My comp is infected T_T (Read 2243 times)

`anne

My comp is infected T_T

guestolo

My comp is infected T_T

`anne

My comp is infected T_T

guestolo

My comp is infected T_T

guestolo

My comp is infected T_T

`anne

My comp is infected T_T

guestolo

My comp is infected T_T

guestolo

My comp is infected T_T

`anne

My comp is infected T_T

guestolo

My comp is infected T_T

`anne

My comp is infected T_T

Guest_raysdga_*

My comp is infected T_T

raysdga

My comp is infected T_T

`anne

My comp is infected T_T

raysdga

My comp is infected T_T

guestolo

My comp is infected T_T