Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My log


  • This topic is locked This topic is locked
25 replies to this topic

#1 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 30 March 2006 - 07:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:47:04 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Update06\Setup.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Windows\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Update06\Setup.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138933172214
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 12:50 PM

Hello gostanford07, Welcome to the forum.

This is what I suggest you do.


Please do not delete anything unless instructed to.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.

Next:

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 April 2006 - 03:02 PM

First of all, thanks for the help. However, I was unable to complete your set of directions. I succesfully ran the Spybot Search and Destroy program and removed 8 items. Unfortunately, Ad-Aware experienced some problems. When I first started experiencing problem with my computer, my first step was to download Ad-Aware, but just like recently, it did not work for me. The scan begins without problem until it gets to this stage: it says "Deep scanning Local Registry" at the top and then Software/Microsoft/Windows/CurrentVersion/SharedDLLs... and then freezes. For some reason, I get stuck at this point in the scan every time I run the program. Any ideas as to why? Because of this, I downloaded Spyware Doctor a few days ago and have succesfully removed a few things, but every time I scan, I get the Look2Me Trojan and click remove, yet it is still there on my next scan. Hope this helps and thanks again for the asistance.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 April 2006 - 05:44 PM

Please run the Spy Sweeper part of the fix. Exit Spy Sweeper. Empty Recycle Bin Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread. Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 April 2006 - 12:51 PM

First, sorry for the long response, I really do appreciate the help. As far as the computer, the sweep proceeded normally and detected a number of problems. However, I was not able to fully repair all of the items. At one point, Spy Sweeper prompted me to insert my XP Professional Service 2 Disc or something like that. Unfortunately, my laptop is a hand-me-down from my grandfather, so I don't have that disk. As a result, I was forced to click cancel and Spy Sweeper said that it would have to restore the unkown system files. What should I do now? Here are the logs...

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:47 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HighJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138933172214
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Spy Sweeper:
********
10:53 AM: | Start of Session, Sunday, April 02, 2006 |
10:53 AM: Spy Sweeper started
10:53 AM: Sweep initiated using definitions version 646
10:53 AM: Starting Memory Sweep
10:58 AM: Memory Sweep Complete, Elapsed Time: 00:04:56
10:58 AM: Starting Registry Sweep
10:58 AM: Found Trojan Horse: trojan-backdoor-haxdoor
10:58 AM: HKLM\system\currentcontrolset\services\pptp32\ (11 subtraces) (ID = 1180144)
10:58 AM: HKLM\system\currentcontrolset\services\pptp64\ (11 subtraces) (ID = 1180156)
10:58 AM: Registry Sweep Complete, Elapsed Time:00:00:18
10:58 AM: Starting Cookie Sweep
10:58 AM: Found Spy Cookie: websponsors cookie
10:58 AM: windows@a.websponsors[1].txt (ID = 3665)
10:58 AM: Found Spy Cookie: about cookie
10:58 AM: windows@about[2].txt (ID = 2037)
10:58 AM: Found Spy Cookie: specificclick.com cookie
10:58 AM: windows@adopt.specificclick[2].txt (ID = 3400)
10:58 AM: Found Spy Cookie: tacoda cookie
10:58 AM: windows@anat.tacoda[2].txt (ID = 6445)
10:58 AM: Found Spy Cookie: askmen cookie
10:58 AM: windows@askmen[1].txt (ID = 2247)
10:58 AM: Found Spy Cookie: ask cookie
10:58 AM: windows@ask[1].txt (ID = 2245)
10:58 AM: Found Spy Cookie: belnk cookie
10:58 AM: windows@belnk[1].txt (ID = 2292)
10:58 AM: Found Spy Cookie: casalemedia cookie
10:58 AM: windows@casalemedia[1].txt (ID = 2354)
10:58 AM: Found Spy Cookie: clickbank cookie
10:58 AM: windows@clickbank[1].txt (ID = 2398)
10:58 AM: windows@dist.belnk[2].txt (ID = 2293)
10:58 AM: Found Spy Cookie: findwhat cookie
10:58 AM: windows@findwhat[2].txt (ID = 2674)
10:58 AM: Found Spy Cookie: go.com cookie
10:58 AM: windows@go[1].txt (ID = 2728)
10:58 AM: windows@mobileoffice.about[1].txt (ID = 2038)
10:58 AM: Found Spy Cookie: mygeek cookie
10:58 AM: windows@mygeek[1].txt (ID = 3041)
10:58 AM: Found Spy Cookie: nextag cookie
10:58 AM: windows@nextag[2].txt (ID = 5014)
10:58 AM: Found Spy Cookie: partypoker cookie
10:58 AM: windows@partypoker[2].txt (ID = 3111)
10:58 AM: Found Spy Cookie: adjuggler cookie
10:58 AM: windows@rotator.adjuggler[1].txt (ID = 2071)
10:58 AM: windows@tacoda[2].txt (ID = 6444)
10:58 AM: windows@www.askmen[1].txt (ID = 2248)
10:58 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:58 AM: Starting File Sweep
11:22 AM: Found System Monitor: potentially rootkit-masked files
11:22 AM: rdbss.sys (ID = 0)
11:22 AM: rd68o4ci.exe (ID = 0)
11:22 AM: qtplugininstaller.exe-0f6d6c12.pf (ID = 0)
11:22 AM: qttask.exe-342507fb.pf (ID = 0)
11:22 AM: quattro.wb2 (ID = 0)
11:22 AM: qryctrl.dll (ID = 0)
11:22 AM: recovr32.cnv (ID = 0)
11:22 AM: rdpcfgex.dll (ID = 0)
11:22 AM: rdpwd.sys (ID = 0)
11:22 AM: qappsrv.exe (ID = 0)
11:22 AM: recfuus.wwd (ID = 0)
11:22 AM: qwinsta.exe (ID = 0)
11:22 AM: qrcode.pmp (ID = 0)
11:22 AM: qmgr.inf (ID = 0)
11:22 AM: quattro.wb2 (ID = 0)
11:22 AM: qtbox.bmp (ID = 0)
11:22 AM: qosconcepts.chm (ID = 0)
11:22 AM: qosname.dll (ID = 0)
11:22 AM: recover.exe (ID = 0)
11:22 AM: recycle.chm (ID = 0)
11:22 AM: recycle.wav (ID = 0)
11:22 AM: qmgrprxy.dll (ID = 0)
11:22 AM: qdb.bmp (ID = 0)
11:22 AM: qc.bmp (ID = 0)
11:22 AM: qcg.bmp (ID = 0)
11:22 AM: qd.bmp (ID = 0)
11:22 AM: question_icon.jpg (ID = 0)
11:22 AM: qtinstallcode.dll (ID = 0)
11:22 AM: rdpwd.sys (ID = 0)
11:22 AM: recdbus.dat (ID = 0)
11:22 AM: recheus.wwd (ID = 0)
11:22 AM: reccdus.wwd (ID = 0)
11:22 AM: qmgr.inf (ID = 0)
11:22 AM: qic157.sys (ID = 0)
11:22 AM: quicktimeplayer.exe-280b4828.pf (ID = 0)
11:22 AM: qryint32.dll (ID = 0)
11:22 AM: quit.gif (ID = 0)
11:22 AM: quit.bmp (ID = 0)
11:22 AM: rdtone.htm (ID = 0)
11:22 AM: qh.bmp (ID = 0)
11:22 AM: qs.bmp (ID = 0)
11:22 AM: qartglry.hlp (ID = 0)
11:22 AM: quicktimeinstaller.exe-00c5deda.pf (ID = 0)
11:22 AM: reccdus.wwd (ID = 0)
11:22 AM: reccdz.wwd (ID = 0)
11:22 AM: recdbus.dat (ID = 0)
11:22 AM: recfuus.wwd (ID = 0)
11:22 AM: recfuz.wwd (ID = 0)
11:22 AM: recheus.wwd (ID = 0)
11:22 AM: qmgr0.dat (ID = 0)
11:22 AM: qmgr1.dat (ID = 0)
11:22 AM: qappsrv.exe (ID = 0)
11:22 AM: qosname.dll (ID = 0)
11:22 AM: query.exe (ID = 0)
11:22 AM: quser.exe (ID = 0)
11:22 AM: qwinsta.exe (ID = 0)
11:22 AM: rdpcdd.sys (ID = 0)
11:22 AM: rdpcfgex.dll (ID = 0)
11:22 AM: recover.exe (ID = 0)
11:22 AM: quattro.wb2 (ID = 0)
11:22 AM: rdpwd.sys (ID = 0)
11:22 AM: rdpdr.sys (ID = 0)
11:22 AM: rdbss.sys (ID = 0)
11:22 AM: rdshost.exe (ID = 0)
11:22 AM: rdsaddin.exe (ID = 0)
11:22 AM: rdpwsx.dll (ID = 0)
11:22 AM: rdpsnd.dll (ID = 0)
11:22 AM: rdpdd.dll (ID = 0)
11:22 AM: rdpclip.exe (ID = 0)
11:22 AM: rdchost.dll (ID = 0)
11:22 AM: query.dll (ID = 0)
11:22 AM: quartz.dll (ID = 0)
11:22 AM: qprocess.exe (ID = 0)
11:22 AM: qmgrprxy.dll (ID = 0)
11:22 AM: qedwipes.dll (ID = 0)
11:22 AM: qedit.dll (ID = 0)
11:22 AM: qdvd.dll (ID = 0)
11:22 AM: qdv.dll (ID = 0)
11:22 AM: qcap.dll (ID = 0)
11:22 AM: qasf.dll (ID = 0)
11:22 AM: qmgr.inf (ID = 0)
11:22 AM: rdsaddin.exe (ID = 0)
11:22 AM: rdchost.dll (ID = 0)
11:22 AM: qedwipes.dll (ID = 0)
11:22 AM: rdshost.exe (ID = 0)
11:22 AM: rdsaddin.exe (ID = 0)
11:22 AM: rdpwsx.dll (ID = 0)
11:22 AM: rdpclip.exe (ID = 0)
11:22 AM: quick.ime (ID = 0)
11:22 AM: qdvd.dll (ID = 0)
11:22 AM: query.dll (ID = 0)
11:22 AM: rdpdd.dll (ID = 0)
11:22 AM: qdv.dll (ID = 0)
11:22 AM: rdesktop.chm (ID = 0)
11:22 AM: rdpsnd.dll (ID = 0)
11:22 AM: qprocess.exe (ID = 0)
11:22 AM: qmgr.dll (ID = 0)
11:22 AM: qcap.dll (ID = 0)
11:22 AM: qtplayersession.xml (ID = 0)
11:22 AM: rdpsnd.dll (ID = 0)
11:22 AM: rdocurs.dll (ID = 0)
11:22 AM: quick.ime (ID = 0)
11:22 AM: rdesktop.chm (ID = 0)
11:22 AM: recagent.sys (ID = 0)
11:22 AM: qedit.dll (ID = 0)
11:22 AM: qedwipes.dll (ID = 0)
11:22 AM: qdv.dll (ID = 0)
11:22 AM: rdchost.dll (ID = 0)
11:22 AM: rdpdr.sys (ID = 0)
11:22 AM: qmgr.dll (ID = 0)
11:23 AM: qprocess.exe (ID = 0)
11:23 AM: query.dll (ID = 0)
11:23 AM: rdpwd.sys (ID = 0)
11:23 AM: quick.ime (ID = 0)
11:23 AM: rdpclip.exe (ID = 0)
11:23 AM: qcap.dll (ID = 0)
11:23 AM: quartz.dll (ID = 0)
11:23 AM: rdpwsx.dll (ID = 0)
11:23 AM: recagent.sys (ID = 0)
11:23 AM: qasf.dll (ID = 0)
11:23 AM: rdpdd.dll (ID = 0)
11:23 AM: rdbss.sys (ID = 0)
11:23 AM: qdvd.dll (ID = 0)
11:23 AM: rdshost.exe (ID = 0)
11:23 AM: query.asp (ID = 0)
11:23 AM: rdsktpw.chm (ID = 0)
11:23 AM: qmgr.dll (ID = 0)
11:23 AM: qtplugin.log (ID = 0)
11:23 AM: quicktimeplugin.class (ID = 0)
11:23 AM: quicktimeplugin.class (ID = 0)
11:23 AM: qasf.dll (ID = 0)
11:23 AM: qwrdrt32.hlp (ID = 0)
11:23 AM: qartglry.hlp (ID = 0)
11:23 AM: recdb.bmp (ID = 0)
11:23 AM: qasf.dll (ID = 0)
11:23 AM: quartz.dll (ID = 0)
11:23 AM: quartz.dll (ID = 0)
11:23 AM: quicksilver.wmz (ID = 0)
11:23 AM: qasf.dll (ID = 0)
11:23 AM: qh.bmp (ID = 0)
11:23 AM: rdrmsgenu.pdf (ID = 0)
11:23 AM: recdb.bmp (ID = 0)
11:23 AM: qconres.dll (ID = 0)
11:23 AM: qwrdrt32.hlp (ID = 0)
11:23 AM: qconsole.hlp (ID = 0)
11:23 AM: recdbz.dat (ID = 0)
11:23 AM: qmgr.pnf (ID = 0)
11:23 AM: recall.dll (ID = 0)
11:23 AM: rec.cfg (ID = 0)
11:23 AM: recl.ico (ID = 0)
11:23 AM: recs.ico (ID = 0)
11:23 AM: qryint32.dll (ID = 0)
11:23 AM: recalc.htm (ID = 0)
11:23 AM: recalc.htm (ID = 0)
11:23 AM: recovr32.cnv (ID = 0)
11:23 AM: qartglry.hlp (ID = 0)
11:23 AM: qryctrl.dll (ID = 0)
11:23 AM: rdocurs.dll (ID = 0)
11:23 AM: quikview.exe (ID = 0)
11:23 AM: quikview.exe (ID = 0)
11:23 AM: quicktime.mpp (ID = 0)
11:23 AM: rdr70.itw (ID = 0)
11:23 AM: qmark.gif (ID = 0)
11:23 AM: qmark.acs (ID = 0)
11:23 AM: rdbss.sys (ID = 0)
11:23 AM: quicktimeinstaller.exe (ID = 0)
11:23 AM: qrc_01.png (ID = 0)
11:23 AM: qconsole.exe (ID = 0)
11:23 AM: rdrmsgsplash.pdf (ID = 0)
11:23 AM: recovr32.cnv (ID = 0)
11:23 AM: qc.bmp (ID = 0)
11:23 AM: qd.bmp (ID = 0)
11:23 AM: qs.bmp (ID = 0)
11:23 AM: quicktimeinstaller.exe (ID = 0)
11:23 AM: qtinstallcode.log (ID = 0)
11:23 AM: qryctrl.dll (ID = 0)
11:23 AM: quirk.css (ID = 0)
11:23 AM: qmgrprxy.dll (ID = 0)
11:23 AM: rdbss.sys (ID = 0)
11:23 AM: rdpdr.sys (ID = 0)
11:23 AM: rdpcdd.sys (ID = 0)
11:23 AM: rdpwd.sys (ID = 0)
11:23 AM: quartz.dll (ID = 0)
11:23 AM: quarantine.lnk (ID = 0)
11:23 AM: quicktimeplayer_ico.exe (ID = 0)
11:23 AM: qedit.dll (ID = 0)
11:23 AM: qasf.dll (ID = 0)
11:23 AM: quicktime.qtp (ID = 0)
11:23 AM: qtfont.qfn (ID = 0)
11:23 AM: qtfont.for (ID = 0)
11:23 AM: qtbox.bmp (ID = 0)
11:23 AM: qtinstallcode.dll (ID = 0)
11:23 AM: qtuninstaller.ico (ID = 0)
11:23 AM: qtinstallcode.dll (ID = 0)
11:23 AM: qtlogotoppanel.bmp (ID = 0)
11:23 AM: qtprobanner.bmp (ID = 0)
11:23 AM: quar32.dll (ID = 0)
11:23 AM: qspak32.dll (ID = 0)
11:23 AM: quaropts.dat (ID = 0)
11:23 AM: rdistcom.dll (ID = 0)
11:23 AM: rectangle.gif (ID = 0)
11:23 AM: qmu66.tmp (ID = 0)
11:23 AM: qyzylorda (ID = 0)
11:23 AM: recife (ID = 0)
11:23 AM: qatar (ID = 0)
11:23 AM: quicktimeinstaller.exe (ID = 0)
11:23 AM: stt82.ini (ID = 0)
11:23 AM: klgcptini.dat (ID = 0)
11:23 AM: quarantine.lnk (ID = 0)
11:23 AM: File Sweep Complete, Elapsed Time: 00:25:08
11:23 AM: Full Sweep has completed. Elapsed time 00:30:30
11:23 AM: Traces Found: 252
11:26 AM: Removal process initiated
11:26 AM: Quarantining All Traces: potentially rootkit-masked files
11:33 AM: Quarantining All Traces: trojan-backdoor-haxdoor
11:33 AM: Quarantining All Traces: about cookie
11:33 AM: Quarantining All Traces: adjuggler cookie
11:33 AM: Quarantining All Traces: ask cookie
11:33 AM: Quarantining All Traces: askmen cookie
11:33 AM: Quarantining All Traces: belnk cookie
11:33 AM: Quarantining All Traces: casalemedia cookie
11:33 AM: Quarantining All Traces: clickbank cookie
11:33 AM: Quarantining All Traces: findwhat cookie
11:33 AM: Quarantining All Traces: go.com cookie
11:33 AM: Quarantining All Traces: mygeek cookie
11:33 AM: Quarantining All Traces: nextag cookie
11:33 AM: Quarantining All Traces: partypoker cookie
11:33 AM: Quarantining All Traces: specificclick.com cookie
11:33 AM: Quarantining All Traces: tacoda cookie
11:33 AM: Quarantining All Traces: websponsors cookie
11:33 AM: Removal process completed. Elapsed time 00:06:59
********
10:50 AM: | Start of Session, Sunday, April 02, 2006 |
10:50 AM: Spy Sweeper started
10:51 AM: Your spyware definitions have been updated.
10:53 AM: | End of Session, Sunday, April 02, 2006 |

Thanks again for the help...

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 April 2006 - 12:55 PM

I don't like the sound of that. Might be some system files infected. Lets try this:

Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 April 2006 - 02:38 PM

Ewido ran successfully. It deleted a few medium risk Cookie items and then one High risk trojan towards the end. Here are my updated logs...

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:20 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HighJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138933172214
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:21:24 PM, 4/2/2006
+ Report-Checksum: 28C39A12

+ Scan result:

:mozilla.15:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Windows\Application Data\Mozilla\Firefox\Profiles\2tmjl2gt.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Windows\Cookies\windows@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Windows\Cookies\windows@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Windows\Cookies\windows@www.directnetadvertising[1].txt -> TrackingCookie.Directnetadvertising : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\winupdt.exe -> Backdoor.Haxdoor.gh : Cleaned with backup


::Report End

I agree that the Windows service request isn't a good sign. The only system disks I got with the computer were three Toshiba disks that will restore the computer to the factory settings. I would essentially lose everything so although this is an option I hope to use it as an ultimate last resort. Thanks for the help

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 April 2006 - 02:45 PM

Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 April 2006 - 03:03 PM

Awesome. Computer seems to be running normally. I can't thank you enough.

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 April 2006 - 03:07 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 April 2006 - 04:03 PM

Sorry, just one more question. The computer seems to be running smoothly except for one problem. For some reason, I cannot connect to the other computers on my network. I am not able to see the shared folders or anything. Could it possibly be from any firewalls established by the newly downloaded spyware programs? Or is it something within the network? I know this probably isn't your job, but I am just wondering if some of the software that you recommended could have this effect. Thanks again for any answers

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 April 2006 - 05:44 PM

Only thing I can think of is turn unplug the power from the router and external modem. Wait about 5mins and restart everything. Also reboot all PC's after that.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 gostanford07

gostanford07

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 03 April 2006 - 01:42 AM

Well it seems that whatever bug I contracted is now gone, but while it was there, infected some of my system files that were subsequently removed by the scanning programs. I have experienced a few problems running some programs, and discovered that a file called "quartz.dll" was missing. I was able to download and insert a replacement from dll-files.com. This prompted me to do a registry scan using PC something's program MightMouse Registry scan or something like that. After running a registry scan, the program found upwards of 400 problems but could not repair them because it was a trial version. I then downloaded PC Tool's Registry Mechanic which uncovered hundreds of problems but also could not solve them because it was a demo version. I was just wondering if you knew of any free scan/repair programs for registry files similar to the adaware programs you recommended (Spybot S&D, etc.). Or, is there an alternative solution to my problem. If I need to, I will kick down the $30 for a full version of those other programs, but I was wondering if you know of any other solutions. Thanks again for the help...

Edited by gostanford07, 03 April 2006 - 01:43 AM.


#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 April 2006 - 01:33 PM

You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2006 - 03:08 PM

Were you able to run the fix?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users