Author Topic: Little Help Please (Read 2881 times)

hi5 · « **on:** December 20, 2005, 04:14:11 AM »

I am new here. I have tried to fix this annoyance for about 6 hours now. I've searched the internet for fixes and nothing has helped. I came across this site hoping for some success in getting my computer back to running normal.. and yes I have used the search option! Every time Windows boots up now, I get the famous "your computer is infected with spyware" alert at the bottom of my taskbar. My Internet Explorer is now using a search.html from my C: and bombs my desktop with hundreds of popups. SVCHOST.exe is running about 15 times and iexplorer.exe is running about 40 times in the processes list. I also get some weird processes that I never had before like z11.exe and z14.exe. A command prompt window also pops up at start and tries to access netsh.exe. I get errors at the start up that say something about can't find winlogin.exe. Here is my HiJackThis log.. if I need to provide anything else before we step forward let me know.. I had to post this under Safe Mode because it's the only way I can fully operate Internet Explorer, otherwise it gets flooded with popups and just shuts itself down...

Logfile of HijackThis v1.99.1
Scan saved at 3:04:26 AM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\inet20099\winlogon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\alhtrvgw.exe
C:\WINDOWS\System32\siklagly.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\z00096.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\windows\system32\winserver.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\sachost.exe
C:\WINDOWS\inet20099\mm6.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\z11.exe
C:\WINDOWS\System32\z14.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\winstall.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\exeha2.exe
C:\WINDOWS\System32\dial32.exe
C:\Plugin Downloads\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O1 - Hosts: 85.77.24.118 L2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20099\3.00.11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\mcconfig.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 127570203
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\RunServices: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [win32] c:\windows\system32\winserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\xhtitycg.dll
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

Oh by the way my attempt to fix this was using Search & Destroy Spybot, Microsoft AntiSpyware, and Online Housecall. It just reinstalls itself.

hi5 · « **Reply #1 on:** December 20, 2005, 02:52:40 PM »

Does only 1 person help with problems? I've been waiting for a long time for a reply and no one seems to take interest in helping me... perhaps I should look somewhere else...

guestolo · « **Reply #2 on:** December 20, 2005, 07:38:23 PM »

Quote

Does only 1 person help with problems? I've been waiting for a long time for a reply and no one seems to take interest in helping me... perhaps I should look somewhere else...

I was going to post , but now I'll wait to see a fresh Hijackthis log if you still need a hand?
I don't want to get involved with a Hijackthis log if your receiving help elsewhere

hi5 · « **Reply #3 on:** December 20, 2005, 07:49:53 PM »

I still need help.. thank you for responding!

Logfile of HijackThis v1.99.1
Scan saved at 6:44:03 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\inet20099\winlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\alhtrvgw.exe
C:\WINDOWS\System32\siklagly.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\z00096.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\windows\system32\winserver.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\sachost.exe
C:\WINDOWS\inet20099\mm6.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\z11.exe
C:\WINDOWS\System32\z14.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\winstall.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\exeha2.exe
C:\WINDOWS\System32\dial32.exe
C:\Plugin Downloads\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O1 - Hosts: 85.77.24.118 L2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20099\3.00.11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\mcconfig.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 127570203
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\RunServices: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [win32] c:\windows\system32\winserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\xhtitycg.dll
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

guestolo · « **Reply #4 on:** December 20, 2005, 08:44:54 PM »

You have a few problems on your computer
and no sign of any Anti-Virus software installed
We will get you a free solution later if you don't have your own
For now, please do the following

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

===Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

==Download CWShredder.exe and save to your desktop
Don't run it yet

==Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe
and save it too your desktop or folder

Please print the next set of instructions or save them too a notepad file on your desktop for reference

I need you too disable your Anti-Spyware realtime protections so they won't interfere in any way with the fixes we are about to try, you can reenable these once you are proclaimed clean

Microsoft AntiSpyware
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode

Start Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste entry below in bold

C:\WINDOWS\System32\siklagly.exe

Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages

Carry on with the same instructions with the rest of these

C:\WINDOWS\sysldr32.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\0kg00xc4.dll
C:\WINDOWS\z00096.exe
C:\WINDOWS\inet20099\mm6.exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\z11.exe
C:\WINDOWS\System32\z14.exe

C:\windows\system32\winserver.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\inet20099\winlogon.exe
C:\WINDOWS\sachost.exe
C:\WINDOWS\System32\alhtrvgw.exe
c:\windows\system32\winserver.exe
C:\WINDOWS\System32\exeha2.exe
C:\WINDOWS\System32\dial32.exe

C:\WINDOWS\system32\srshost.exe
C:\WINDOWS\System32\siklagly.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\winstall.exe
C:\WINDOWS\System32\xhtitycg.dll
C:\WINDOWS\SYSTEM32\mcconfig.dll
C:\WINDOWS\inet20099\3.00.11.dll
C:\WINDOWS\System32\search.html

Find and delete this folder if found
C:\WINDOWS\inet20099 <-this folder

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on CWShredder.exe
Run the FIX part of it, let it fix what it finds
When it's done
Remain in safe mode

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O1 - Hosts: 85.77.24.118 L2authd.lineage2.com

O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20099\3.00.11.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\mcconfig.dll

O4 - HKLM\..\Run: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 127570203
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe

O4 - HKLM\..\Run: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] alhtrvgw.exe
O4 - HKLM\..\RunServices: [win32] c:\windows\system32\winserver.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe

O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [siklagly] C:\WINDOWS\System32\siklagly.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [win32] c:\windows\system32\winserver.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O20 - AppInit_DLLs: C:\WINDOWS\System32\xhtitycg.dll
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Reboot back to Normal mode

==From my signature below, use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop

==Post the following back please
1. A fresh hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
4. Post the Report from Panda's

hi5 · « **Reply #5 on:** December 20, 2005, 11:18:50 PM »

Here are the results, sorry I took so long I had company

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

### HIJACKTHIS LOG ###

Logfile of HijackThis v1.99.1
Scan saved at 10:05:53 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Plugin Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\mcconfig.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

### EWIDO'S REPORT ###

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         9:30:52 PM, 12/20/2005
+ Report-Checksum:      9733ABE3

+ Scan result:

   HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Mserv -> Spyware.Daemonize : Cleaned with backup
   C:\!KillBox\alhtrvgw.exe -> Backdoor.Rbot : Cleaned with backup
   C:\!KillBox\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\!KillBox\efsdfgxg.exe -> Dropper.Paradrop.a : Cleaned with backup
   C:\!KillBox\exeha2.exe -> Dropper.Paradrop.a : Cleaned with backup
   C:\!KillBox\ibm00001.exe -> Logger.Small.dg : Cleaned with backup
   C:\!KillBox\inet20099\3.00.11.dll -> Spyware.Ihbo : Cleaned with backup
   C:\!KillBox\inet20099\alg.exe -> Worm.Delf.i : Cleaned with backup
   C:\!KillBox\inet20099\services.exe -> Downloader.CWS.j : Cleaned with backup
   C:\!KillBox\mcconfig.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\!KillBox\mm6.exe -> Proxy.Delf.an : Cleaned with backup
   C:\!KillBox\sachostc.exe -> Proxy.Daemonize.t : Cleaned with backup
   C:\!KillBox\sachosts.exe -> Proxy.Daemonize.u : Cleaned with backup
   C:\!KillBox\sysldr32.exe -> Worm.Locksky.l : Cleaned with backup
   C:\!KillBox\winlogon.exe -> Downloader.CWS : Cleaned with backup
   C:\!KillBox\winserver.exe -> Logger.Agent.dt : Cleaned with backup
   C:\!KillBox\winstall.exe -> Hijacker.Spywad.n : Cleaned with backup
   C:\!KillBox\xhtitycg.dll -> Trojan.Crypt.o : Cleaned with backup
   C:\!KillBox\z11.exe -> Hijacker.Spywad.n : Cleaned with backup
   C:\!KillBox\z14.exe -> Worm.Locksky.l : Cleaned with backup
   C:\Documents and Settings\Mick\cdegfr -> Worm.Locksky.l : Cleaned with backup
   C:\Documents and Settings\Mick\sdfff -> Downloader.Small.awa : Cleaned with backup
   C:\Documents and Settings\Mick\wdcsadsad -> Dropper.Delf.pb : Cleaned with backup
   C:\Program Files\Common Files\fmzr\fmzrd\fmzrc.dll -> Downloader.Small : Cleaned with backup
   C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.a : Cleaned with backup
   C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
   C:\Program Files\QL\uninstall.exe -> Adware.Suggestor : Cleaned with backup
   C:\WINDOWS\91.exe -> Logger.Goldun.fq : Cleaned with backup
   C:\WINDOWS\system32\0kg0an0q.dll -> Adware.Sud : Cleaned with backup
   C:\WINDOWS\system32\exeha3.exe -> Downloader.CWS.j : Cleaned with backup
   C:\WINDOWS\system32\mcconfig.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\WINDOWS\system32\tevaejuw.dll -> Trojan.Crypt.o : Cleaned with backup
   C:\WINDOWS\system32\wafsebdm.dll -> Trojan.Crypt.o : Cleaned with backup
   C:\WINDOWS\system32\winl0gon.exe -> Dropper.Small.na : Cleaned with backup
   C:\WINDOWS\system32\xhtitycg.dll -> Trojan.Crypt.o : Cleaned with backup
   C:\WINDOWS\system32\z12.exe -> Downloader.Small.awa : Cleaned with backup
   C:\WINDOWS\system32\z16.exe -> Dropper.Delf.pb : Cleaned with backup
   C:\WINDOWS\tool2.exe -> Hijacker.Spywad.n : Cleaned with backup

::Report End

### SMITREM ###

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 12/20/2005
The current time is: 21:18:21.25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 452 'explorer.exe'
Killing PID 452 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

### PANDA'S REPORT ###

Incident Status Location

Possible Virus. Not disinfected C:\!KillBox\cmd32.exe
Virus:Trj/Tofger.BG Not disinfected C:\!KillBox\sachost.exe
Virus:Bck/Small.QE Not disinfected C:\!KillBox\siklagly.exe
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\z00096.exe
Possible Virus. Not disinfected C:\boot.inx
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Mick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-5d916813.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Mick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-5d916813.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-77b76e32.zip[Matrix.class]
Virus:Trj/SDOptimizer.A Not disinfected C:\Plugin Downloads\backups\backup-20051220-213834-928.dll
Virus:Trj/Tofger.BG Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\07B00373-C24A-40C3-A399-276CC5\94892544-34C5-44A2-BCBF-22A76B
Virus:Trj/Tofger.BG Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\221ED568-43FD-4026-81D5-8FB25D\A10DFBA5-8DDF-4BA5-B365-0EEEA4
Virus:Trj/Tofger.BG Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2AC34083-2D82-46AC-BF2D-C80096\965C0FB7-E6B4-420E-97BD-781D75
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\742.exe
Virus:Trj/Tofger.AE Not disinfected C:\WINDOWS\msrt32.dll
Virus:Trj/Gagagaradio.C Not disinfected C:\WINDOWS\sev.exe
Virus:Trj/SDOptimizer.A Not disinfected C:\WINDOWS\system32\dmkdlpsk.exe
Virus:Trj/SDOptimizer.A Not disinfected C:\WINDOWS\system32\mcconfig.dll
Virus:Trj/Agent.ALN Not disinfected C:\WINDOWS\system32\winserv.dll
Virus:Trj/Agent.AII Not disinfected C:\WINDOWS\system32\winserv32.dll
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\system32\z13.exe
Virus:Bck/Galapoper.IA Not disinfected C:\WINDOWS\system32\z15.exe
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\teller2.chk
I hope we are cleaned.. or almost..

guestolo · « **Reply #6 on:** December 21, 2005, 01:09:14 AM »

Let's see if we can clean the rest of this

Open the Windows control panel
Double click to open the Java Icon
Under the General tab>>click Delete Files>>Ok it
Exit

Can you save the rest of these instructions too a notepad file, then close all browser windows
Make sure you disconnect from the Internet

Open Killbox
Again use the "Standard File Kill" on the following
Additionally put a tick in "End Explorer shell when killing file"
Keep track of any files that won't delete

C:\boot.inx
C:\secure32.html
C:\WINDOWS\742.exe
C:\WINDOWS\msrt32.dll
C:\WINDOWS\sev.exe
C:\WINDOWS\system32\dmkdlpsk.exe

C:\WINDOWS\system32\winserv.dll
C:\WINDOWS\system32\winserv32.dll
C:\WINDOWS\system32\z13.exe
C:\WINDOWS\system32\z15.exe
C:\WINDOWS\teller2.chk

For any files that wouldn't delete
Use the "Delete File on Reboot" Option
Okay the prompt to delete on reboot, but don't reboot until you have added this next one into killbox

C:\WINDOWS\SYSTEM32\mcconfig.dll

At which time allow the computer to reboot or Reboot manually

Back in Windows

Your not running any Anti-Virus software on your computer
If you don't have your own to install

Download and install one of these AV's
Both have a free version
AVG 7 by Grisoft
OR
Avast Home Edition by ALWIL

ONLY install one, more than one can cause conflicts

After it's installed, make sure it is updated and run a full system scan
It would be best to run this scan in Safe mode

Afterwards, reboot the computer again
Back in Normal mode

Post back a fresh hijackthis log

hi5 · « **Reply #7 on:** December 21, 2005, 03:10:58 AM »

HiJackThis log as requested!

Logfile of HijackThis v1.99.1
Scan saved at 2:10:12 AM, on 12/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Plugin Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\mcconfig.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

hi5 · « **Reply #8 on:** December 21, 2005, 05:17:32 AM »

If that looks ok with you, I have one other issue. It seems as though my computer is still sluggish after the attack. Is there any way we can run some checks and see if we can possibly speed things back up?

guestolo · « **Reply #9 on:** December 21, 2005, 07:37:59 PM »

This file won't go away
Can I ask you too try the following
Although the filename looks too long, worth a try

Please download [color=\"red\"]VundoFix.exe[/color][/url] to your desktop.

*Double-click VundoFix.exe to extract the files
*This will create a VundoFix folder on your desktop.

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads,
Select Safe mode from the startup menu

*Once in safe mode

Open the VundoFix folder and doubleclick on KillVundo.bat
*You will first be presented with a warning.
It should look like this

Quote

[color=\"blue\"]VundoFix by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
[/color]

* At this point press enter one time.

* Next you will see:

Quote

[color=\"blue\"]Please Type in the filepath as instructed by the forum staff
and then press enter:[/color]

*At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\mcconfig.dll

*Press [color=\"red\"]Enter[/color] to continue with the fix.

*Next you will see:

Quote

[color=\"blue\"]Please type in the second filepath as instructed by the forum
staff then press enter: [/color]

*At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\gifnoccm.*
[/list]

Press [color=\"red\"]Enter[/color] to continue with the fix.

*The fix will run then HijackThis will open, if it does not open automatically please open it manually.
*In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\mcconfig.dll
O20 - Winlogon Notify: mcconfig - C:\WINDOWS\SYSTEM32\mcconfig.dll
[/list]*After you have fixed these items, close Hijackthis.
*Press enter to exit the program then manually reboot your computer.

Back in Windows
I need to see the following

Post back a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Additionally, Also
Save Silent Runners.vbs to your desktop and double click on it to run.
If prompted by your AV, please let this script run, we are just collecting information

This will create a text file on your desktop
Open the text file and copy and paste the contents back here

NOTE: let silentrunners completely finish, it should prompt when it is done

hi5 · « **Reply #10 on:** December 21, 2005, 10:09:55 PM »

### HIJACKTHIS LOG ###

Logfile of HijackThis v1.99.1
Scan saved at 9:08:22 PM, on 12/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Plugin Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

### VUNDOFIX LOG ###

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\mcconfig.dll

The second filepath entered was C:\WINDOWS\system32\gifnoccm.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 576 'smss.exe'

Killing PID 1476 'explorer.exe'
Killing PID 1476 'explorer.exe'

Killing PID 648 'winlogon.exe'
Killing PID 648 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\mcconfig.dll Deleted sucessfully.
C:\WINDOWS\system32\gifnoccm.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

### SILENT RUNNERS LOG ###

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"AdaptecDirectCD" = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F85E86D8-F796-4C97-AAA2-26664A98A42C}\(Default) = "CIEPl Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mcconfig.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! mcconfig\DLLName = "mcconfig.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Mick" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 100 seconds, including 6 seconds for message boxes)

guestolo · « **Reply #11 on:** December 21, 2005, 11:23:09 PM »

Can you do the following for me please

Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

mcconfig

Wait for the results and post them back here
Can you do the same for these next ones too please
F85E86D8-F796-4C97-AAA2-26664A98A42C

CIEPl

Additionally, Open Hijackthis>>Open Misc tools sections>>Open Hosts file manager
Click the "Open in Notepad" button
A text file should open, can you copy and paste back here the whole contents please

hi5 · « **Reply #12 on:** December 22, 2005, 03:23:23 AM »

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mcconfig" 12/22/2005 2:22:09 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SD_is1 Optimizer]
"UninstallString"="rundll32.exe C:\\WINDOWS\\system32\\mcconfig.dll,Uninstall"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "F85E86D8-F796-4C97-AAA2-26664A98A42C" 12/22/2005 2:22:49 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl\CLSID]
@="{F85E86D8-F796-4C97-AAA2-26664A98A42C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSID]
@="{F85E86D8-F796-4C97-AAA2-26664A98A42C}"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "CIEPl" 12/22/2005 2:23:18 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl]
@="CIEPl Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1]
@="CIEPl Object"

# DsG Reborn © 2005 DS Gaming Community
#
# This file tells Lineage II how to connect to the DsG Reborn Server.
#
#
# Welcome to DS Gaming Community.
#
# Please Register an account on: http://dsgamers.net
#
# Come visit us at dsgamers.net and check out game reviews, videos, and
# forums. Don't have one of the games we play just click the BestBuy link
# on the home page and purchase the game plus with BestBuy you can choose
# to pick up items at one of their stores near you or choose to have it
# shipped directly to you. By going through our site you will be helping
# DS Gamers. Get your DS Gamers T-shirts, and other items at the DSGAMERS
# store.
#
#
# Thank you for playing on DsG Servers and have fun.
#
# DS Gaming Community last updated: 12/05/2005

85.77.24.118 l2.authd.lineage2.com

hi5 · « **Reply #13 on:** December 22, 2005, 09:18:29 PM »

guestolo · « **Reply #14 on:** December 22, 2005, 09:21:47 PM »

Sorry for the delay

Can you do the following
Make sure we have a restore point to this time
Go to START>>Programs>>Accessories>>System Tools>>System Restore
Click the Create a new restore point
Name it and click Create

When that's done
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SD_is1 Optimizer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1]

Double click on fix.reg and allow to add or merge to the registry

Reboot your computer

Back in Windows
That hosts file doesn't look right
Unless you knowingly added it, can you do the following
Navigate to this folder
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Open the ETC folder
Right click on the
"hosts" file, no extension
Click rename and rename it too hosts.old
Exit

Open hijackthis>>Open Misc tools section>>Open Hosts file manager
Hijackthis should prompt that no hosts file was found and to create one
Do so

Can you do the following
Open Ewido, check for updates, if you have trouble with updating
Use the manual update link I supplied earlier

Run another complete scan
When it's done, post the report back here with a fresh hijackthis log

Could you also delete the log that SilentRunners made earlier
and then run SilentRunners again and post the new log

hi5 · « **Reply #15 on:** December 26, 2005, 09:40:43 PM »

Hey dude, sorry I am out of town right now for christmas. I will follow your helpful steps as soon as I get back. Thank you for everything so far. You've been great help. I hope your holidays are going well!

hi5 · « **Reply #16 on:** December 29, 2005, 06:07:59 PM »

Sorry for the delay once again.. here is my reports from the instructions prior to my last post:

### EWIDO ###

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         5:03:28 PM, 12/29/2005
+ Report-Checksum:      D9F19029

+ Scan result:

   HKU\S-1-5-21-583907252-1284227242-839522115-1003\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
   C:\!KillBox\742.exe -> Downloader.PassAlert.e : Cleaned with backup
   C:\!KillBox\mcconfig.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\!KillBox\siklagly.exe -> Backdoor.Small.iv : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\mick@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   C:\Documents and Settings\Mick\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\installerus.exe -> Downloader.Qoologic.at : Cleaned with backup
   C:\Plugin Downloads\backups\backup-20051220-213834-928.dll -> Trojan.Agent.cs : Cleaned with backup
   C:\Plugin Downloads\backups\backup-20051220-220457-783.dll -> Trojan.Agent.cs : Cleaned with backup

::Report End

### HI JACK THIS ###

Logfile of HijackThis v1.99.1
Scan saved at 5:06:11 PM, on 12/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Plugin Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by106fd.bay106.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133128450187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

### SILENT RUNNERS ###

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"AdaptecDirectCD" = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" ["Roxio"]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Mick" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 111 seconds, including 18 seconds for message boxes)

guestolo · « **Reply #17 on:** December 29, 2005, 08:27:06 PM »

Can you run Windows CleanUp! one more time
Reboot the computer

How's everything running??

hi5 · « **Reply #18 on:** December 29, 2005, 10:04:09 PM »

Thanks everything is back to normal!!!

guestolo · « **Reply #19 on:** December 29, 2005, 10:16:21 PM »

Final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

Additionally, open Spybot 1.4
Click on Immunzie>>OK>>Immunize at the top
Do this after every update
If there is an update, would be a good time to run another scan

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Your behind on Windows updates, this is important in keeping your system secure
http://www.microsoft.com/windowsxp/sp2/default.mspx

Take a look at the link, we have got your system started in the right direction for preparation of the installation of Service pack 2 and all other high priority updates
I would take advantage of it and keep safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Additionally, you can go back and re-enable Microsoft AntiSpyware protections if disabled earlier

Forgot to add, these entries in your hijackthis log
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
They are set by BitDefender, if you don't plan on visiting the BitDefender's site in the near future and want to remove those items
Simply open Internet Explorer>>Click on Tools>>Uninstall BitDefender Online Scanner
Follow the prompts

News:

Author Topic: Little Help Please (Read 2881 times)