« previous next »
Pages: [1]

Author Topic: Spy Sherriff (sorta)  (Read 4405 times)

Offline Asuma

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Spy Sherriff (sorta)
« on: December 17, 2005, 05:23:42 PM »
Ok, I had the spy sherriff earlier today, and i was looking at a few previous posts, and i tried the stuff you said to do in them.  Deleted a few files you had said, as well as ran a scan with all the major programs.  Everything seems to be okay, except for when I press ctrl+alt+del it still says "Task manager has been disabled by your administrator."  As well as this, there is will the red circle with the white X in it at the bottom right hand of the screen.  However, spy sherriff itself i think is eliminated, and my desktop is back to normal.  Anyway, here is my HJT.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:51 PM, on 17/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\nwinrsaw.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinrsaw.exe DRCA02
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ifoi] C:\PROGRA~1\COMMON~1\ifoi\ifoim.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinrsaw.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132065052196
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is my Ewido results:
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         1:22:29 PM, 17/12/2005
 + Report-Checksum:      1846EE75

 + Scan result:

   HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\IST -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1 -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Spyware.Cydoor : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B} -> Spyware.SaveNow : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
   HKU\S-1-5-21-5796582-1896536308-3091960408-1007\Software\saap -> Spyware.180Solutions : Cleaned with backup
   [1936] C:\WINDOWS\system32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Start Menu\Programs\Power Scan -> Spyware.PowerScan : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Rob Gotch\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup
   C:\inst_drca02.exe -> Spyware.ZenoSearch : Cleaned with backup
   C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\Mommy\Cookies\mommy@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkyqicjwlpw-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\Mommy\Cookies\mommy@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4kmc5akoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\Rob\Cookies\rob@addcontrol[1].txt -> Spyware.Cookie.Addcontrol : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\Rob\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\Rob\Cookies\rob@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup
   C:\OLD HD\Drive 2\Documents and Settings\User\Cookies\user@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\Program Files\Common Files\ifoi\ifoil.exe -> Downloader.TSUpdate.p : Cleaned with backup
   C:\Program Files\Common Files\ifoi\ifoip.exe -> Downloader.TSUpdate.f : Cleaned with backup
   C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
   C:\Program Files\MyEmoticons\VVSNI_S3_MYEM_Inst.exe -> Adware.SaveNow : Cleaned with backup
   C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
   C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
   C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
   C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
   C:\WINDOWS\country.exe -> Trojan.Small : Cleaned with backup
   C:\WINDOWS\desktop.html -> Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
   C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
   C:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup
   C:\WINDOWS\SYSTEM32\0dvc618v.dll -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\SYSTEM32\b01e96hl.exe -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\Cache -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database\file-10001-97.sig -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database\file-1005-1010079.sig -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database\index256.dbb -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL.DLL -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.eng -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe -> Spyware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\SYSTEM32\qvxgamet2.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\WINDOWS\SYSTEM32\qvxgamet4.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
   C:\WINDOWS\timessquare.exe -> Hijacker.StartPage.aw : Cleaned with backup
   C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
   C:\WINDOWS\tool4.exe -> Trojan.Small : Cleaned with backup
   C:\WINDOWS\tool5.exe -> Trojan.Small : Cleaned with backup
   C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
   C:\WINDOWS\ubjt8v7o.exe -> Adware.Saha : Cleaned with backup


::Report End

Panda's Log:


Incident                      Status                        Location                                                                                                                                                                                                                                                        

Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\John Gotch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv719.jar-7db474db-7340bb5a.zip[Matrix.class]                                                                                                            
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\John Gotch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv719.jar-7db474db-7340bb5a.zip[Dummy.class]                                                                                                            
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Rob Gotch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-20c05957-5450b40a.zip[Dummy.class]                                                                                                                  
Adware:Adware/AzeSearch       Not desinfected               C:\Documents and Settings\Rob Gotch\Local Settings\Temp\6.qtdfmp                                                                                                                                                                                                
Dialer:dialer.bew             Not desinfected               C:\Documents and Settings\Rob Gotch\Local Settings\Temp\maxdd.game                                                                                                                                                                                              
Possible Virus.               Not desinfected               C:\Documents and Settings\Rob Gotch\Local Settings\Temp\vx2.game                                                                                                                                                                                                
Dialer:Dialer.EON             Not desinfected               C:\Documents and Settings\Rob Gotch\Local Settings\Temp\vx4.game                                                                                                                                                                                                
Virus:Trj/Downloader.CZO      Disinfected                   C:\Documents and Settings\Rob Gotch\Local Settings\Temp\vxt1.game                                                                                                                                                                                              
Adware:Adware/DollarRevenue   Not desinfected               C:\drsmartload1.exe                                                                                                                                                                                                                                            
Adware:Adware/KeenValue       Not desinfected               C:\OLD HD\Drive 2\Documents and Settings\Mommy\Local Settings\Temp\UpdatedUpdaterInstall.exe                                                                                                                                                                    
Adware:Adware/KeenValue       Not desinfected               C:\OLD HD\Drive 2\Kazaa\PerfectNavUninstall.exe                                                                                                                                                                                                                
Adware:adware/cws.searchmeup  Not desinfected               C:\WINDOWS\ms1.exe                                                                                                                                                                                                                                              
Spyware:application/bestoffer Not desinfected               C:\WINDOWS\smdat32m.sys                                                                                                                                                                                                                                        
Adware:Adware/Tibs            Not desinfected               C:\WINDOWS\SYSTEM32\kernels64.exe                                                                                                                                                                                                                              
Adware:Adware/P2PNetworking   Not desinfected               C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl                                                                                                                                                                                                                    
Adware:Adware/Sqwire          Not desinfected               C:\WINDOWS\SYSTEM32\tsuninst.exe                                                                                                                                                                                                                                
Adware:adware/adsmart         Not desinfected               C:\WINDOWS\SYSTEM32\vx.tll                                                                                                                                                                                                                                      
Possible Virus.               Not desinfected               C:\WINDOWS\SYSTEM32\vxgame2.exe                                                                                                                                                                                                                                
Virus:Trj/Downloader.CZO      Disinfected                   C:\WINDOWS\SYSTEM32\vxgamet1.exe                                                                                                                                                                                                                                
Adware:Adware/Tibs            Not desinfected               C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe                                                                                                                                                                                                                              
Virus:Trj/LdPinch.NC          Disinfected                   C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe                                                                                                                                                                                                                              
Adware:Adware/AzeSearch       Not desinfected               C:\WINDOWS\SYSTEM32\__delete_on_reboot__vxh8jkdq6.exe                                                                                                                                                                                                          
Adware:adware/popupsandbannersNot desinfected               C:\WINDOWS\timessquare1.dat                                                                                                                                                                                                                                    
Adware:Adware/Tibs            Not desinfected               C:\WINDOWS\tool1.exe                                                                                                                                                                                                                                            
Adware:adware/spysheriff      Not desinfected               C:\winstall.exe    

SmitRem Log


   smitRem © log file
     version 2.8

     by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 17/12/2005
The current time is: 13:23:06.54

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 checking for ShudderLTD key

ShudderLTD key not present!

 checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Existing Pre-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~

Install.dat


 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~

logfiles


 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~

winstall.exe

 ~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1760 'explorer.exe'
Killing PID 1760 'explorer.exe'

Starting registry repairs

Deleting files


   Remaining Post-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~

Install.dat


 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~



 ~~~ Miscellaneous Files/folders ~~~




 ~~~ Wininet.dll ~~~

 CLEAN! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />


Plz get back to me ASAP and ty ^^


Oops just noticed Winstall in the HJT report, heres a new one:

Logfile of HijackThis v1.99.1
Scan saved at 3:23:30 PM, on 17/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\nwinrsaw.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinrsaw.exe DRCA02
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ifoi] C:\PROGRA~1\COMMON~1\ifoi\ifoim.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinrsaw.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132065052196
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spy Sherriff (sorta)
« Reply #1 on: December 17, 2005, 05:49:32 PM »
Can you do the following please

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
C:\Program Files\Common Files\ifoi\ifoim.exe <-this file
Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Can you do the same for these 2 files
C:\WINDOWS\SYSTEM32\nwinrsaw.exe
C:\WINDOWS\SYSTEM32\dwdsregt.exe

Also, can you
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as display.bat

Save this too the desktop
It should have an Icon with a Sprocket in the middle

Code: [Select]
@echo off
regedit /e C:\cp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\cp.reg >> C:\Display.txt
regedit /e C:\cp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt
Double click on display.bat
A text file should open
Can you copy and paste that info here please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Asuma

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Spy Sherriff (sorta)
« Reply #2 on: December 17, 2005, 07:14:15 PM »
Unfortunately I was unable to locate "ifoim.exe", there was however an "ifoim.lck"

for nwinrsaw.exe:

Scanner results  
AntiVir  Found Trojan/Dldr.Agent.DZ.2  
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found a variant of Win32/Adware.ZenoSearch application  
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

dwdsregt.exe was also not in the system32 folder.

Here is display.bat

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="1"
"LoadedBefore"="1"
"LastUserLangID"="1033"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00
"ColorName"="NormalColor"
"SizeName"="NormalSize"

Thanks for helping me out btw.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spy Sherriff (sorta)
« Reply #3 on: December 17, 2005, 09:55:36 PM »
Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 
Code: [Select]
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Browser Enhancer]

Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

Download and Install Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Please open Notepad, save these instructions to a Notepad file and save it to your desktop for easy access

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode
Start Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste entry below in bold

C:\WINDOWS\SYSTEM32\nwinrsaw.exe

Then click the Red Circle with the White X
Allow to make a backup and delete the file

Carry on with the same instructions with the rest of these

C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\ms1.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl

C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
C:\WINDOWS\SYSTEM32\__delete_on_reboot__vxh8jkdq6.exe
C:\WINDOWS\timessquare1.dat
C:\WINDOWS\tool1.exe
C:\winstall.exe
C:\OLD HD\Drive 2\Kazaa\PerfectNavUninstall.exe

C:\OLD HD\Drive 2\Documents and Settings\Mommy\Local Settings\Temp\UpdatedUpdaterInstall.exe
C:\drsmartload1.exe
C:\Documents and Settings\Rob Gotch\Local Settings\Temp\6.qtdfmp
C:\Documents and Settings\Rob Gotch\Local Settings\Temp\maxdd.game
C:\Documents and Settings\Rob Gotch\Local Settings\Temp\vx2.game
C:\Documents and Settings\Rob Gotch\Local Settings\Temp\vx4.game
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\vxgame2.exe

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Stay in safe mode
Double click on fix.reg and allow to add or merge to the registry

Do a "System scan only" with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinrsaw.exe DRCA02

O4 - HKCU\..\Run: [ifoi] C:\PROGRA~1\COMMON~1\ifoi\ifoim.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinrsaw.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode
Post back a fresh hijackthis log and another log from the SmitRem tool
Let me know how things are running
« Last Edit: December 17, 2005, 10:35:48 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Asuma

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Spy Sherriff (sorta)
« Reply #4 on: December 18, 2005, 03:31:20 PM »
Ok I woke up this morning, and the room mate had apparently fixed everything, ctrl+alt+delete now worked fine, as well as the red circle with white x was still there.  I still did a HJT and checked the ones you said anyway, there were still a couple there.  Here is my new log, do I still have to do anything?  everythings running quite fine again.

Logfile of HijackThis v1.99.1
Scan saved at 1:29:42 PM, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132065052196
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks again for the help, you are a lifesaver heheh.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spy Sherriff (sorta)
« Reply #5 on: December 18, 2005, 03:40:09 PM »
Did he delete the bad files I asked you too remove with killbox?

Additionally, Limewire is not needed on startup
You can disable it from running on startup in the Tools>>Options area I believe
Just start limewire manually

Additionally, did he do any of the other steps I mentioned with CleanUp! and Ad-Aware?

If not, I would go back and do what I suggested earlier

That registry fix (fix.reg) would of also reenabled task manager
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Asuma

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Spy Sherriff (sorta)
« Reply #6 on: December 19, 2005, 12:15:23 AM »
Ok I went the safe route and tried to do everything you said anyway.  Got a few extra files with the killbox, here are new reports.

Logfile of HijackThis v1.99.1
Scan saved at 10:14:08 PM, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?8dbf431d0984c43a41986a4e2366691
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132065052196
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

\

and smit rem


   smitRem © log file
     version 2.8

     by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 18/12/2005
The current time is: 22:10:41.28

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 checking for ShudderLTD key

ShudderLTD key not present!

 checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Existing Pre-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~

Install.dat


 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~


 ~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Starting registry repairs

Deleting files


   Remaining Post-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~



 ~~~ Miscellaneous Files/folders ~~~




 ~~~ Wininet.dll ~~~

 CLEAN! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spy Sherriff (sorta)
« Reply #7 on: December 19, 2005, 12:22:46 AM »
Looks good

Curious, what did you mean by this
"Got a few extra files with the killbox"

Final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

On top of running a scan with Norton's every once in awhile
And because it's never a good idea to have more than on AV installed on a computer
Visit Panda's every couple of months for a free scan
Nice to have a second opinion

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
« Last Edit: December 19, 2005, 12:23:47 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Asuma

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Spy Sherriff (sorta)
« Reply #8 on: December 19, 2005, 12:30:19 AM »
Oh I just mean that I found a few files that you had listed that were still on the system, and I "killed" them.  Everything is looking great, and I will do the system restore thing.  Thanks again!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Spy Sherriff (sorta)
« Reply #9 on: December 19, 2005, 12:50:03 AM »
Your welcome and good work, I'll lock this topic as your problems are resolved
Merry Xmas
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »