Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Can't get rid of E2G

Started by Mike Camden , Apr 28 2006 07:45 AM

  • This topic is locked This topic is locked
7 replies to this topic

#1 Mike Camden

Mike Camden

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 April 2006 - 07:45 AM

I'm the tech director for a small, private school. One of our teacher's systems recently became infected with a host of trojans (it's probably been infected with spyware for a while). I think that I was able to get rid of most of the malware, but I can't seem to find what's causing a repeated re-infection by spyware that Spy Sweeper is identifying as E2G. There are also a couple of processes identified in the hijack this log that I'm having a hard time identifying as legitimate or malware.

Thanks for any help.

Logfile of HijackThis v1.99.1
Scan saved at 9:13:59 AM, on 4/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\SSEMBL~1\scanregw.exe
C:\WINDOWS\security\lsass.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Security\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\security\lsass.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\security\lsass.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft ® Windows Network Protection Server] C:\WINDOWS\security\lsass.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Obcp] "C:\WINDOWS\System32\SSEMBL~1\scanregw.exe" -vt yazr
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129407860093
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\j2j60c1sef.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: Microsoft Initialization (msinit) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: Windows Network Protection (NetServ) - Unknown owner - C:\WINDOWS\security\lsass.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)

    Advertisements

Register to Remove

#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 28 April 2006 - 09:13 AM

1. Please download Ewido Anti-Malware
  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

#3 Mike Camden

Mike Camden

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 April 2006 - 10:39 AM

Siggyx, thanks for the quick response. I followed your steps, but now I have a new problem after running the scans and programs in safe mode -- when I boot back into windows, when Windows is attempting to start the startup services, it gives me the following error as it attempts to load each service:
"Bad Image -- <<name of service.extension>>
The application or DLL C:\WINDOWS\System32\iniwin32.dll is not a valid Windows image. Please check this against your installation disk."
If I click "OK" everything loads as normal. I get this same error whenever I try to launch any program (only the name of the program being launched is in the title bar and not the startup processes). When I hit OK, the application loads and runs as it should.

Below are the Ewido log and a new hijack this log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:22:47 PM, 4/28/2006
+ Report-Checksum: AD5CFE51

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\10ngy7r[1].jpg -> Proxy.Ranky.ef : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\10ngy7r[2].jpg -> Proxy.Ranky.ef : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\10ngy7r[3].jpg -> Proxy.Ranky.ef : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\10ngy7r[4].jpg -> Proxy.Ranky.ef : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\304sp4[1].jpg -> Proxy.Ranky.eh : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\304sp4[2].jpg -> Proxy.Ranky.eh : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\46eedn[1].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\4bs4bq[1].jpg -> Proxy.Ranky.el : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\4bs4bq[2].jpg -> Proxy.Ranky.el : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHA7G12F\4tmi0r[1].jpg -> Backdoor.Small.kc : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\1gvpq[1].jpg -> Proxy.Ranky.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\1gvpq[2].jpg -> Proxy.Ranky.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\1gvpq[3].jpg -> Proxy.Ranky.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\1gvpq[4].jpg -> Proxy.Ranky.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\1gvpq[5].jpg -> Proxy.Ranky.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\37vhf3[1].jpg -> Proxy.Ranky.fe : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\37vhf3[2].jpg -> Proxy.Ranky.fe : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\3duw68[1].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\3duw68[2].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\3p4ymf[1].jpg -> Proxy.Ranky.es : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\3zv8no[1].jpg -> Proxy.Agent.iv : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[1].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[2].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[3].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[4].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[5].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\46eedn[6].jpg -> Proxy.Ranky.er : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\4tmi0r[1].jpg -> Backdoor.Small.kc : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[1].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[2].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[3].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[4].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[5].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\9sw4v[6].jpg -> Proxy.Ranky.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\gaixq[1].jpg -> Proxy.Ranky.eu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\msutil64[1].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPU3OLYJ\msutil64[2].exe -> Proxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O56ZG16B\1e7oka1[1].jpg -> Proxy.Ranky.ew : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O56ZG16B\3hzeyr[1].jpg -> Worm.Opanki.as : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O56ZG16B\gaixq[1].jpg -> Proxy.Ranky.eu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\17lijug[1].jpg -> Proxy.Ranky.ez : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\37vhf3[1].jpg -> Proxy.Ranky.fe : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[10].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[11].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[1].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[2].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[3].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[4].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[5].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[6].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[7].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[8].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\3duw68[9].jpg -> Proxy.Ranky.fd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S167G9MB\4ovouh[1].jpg -> Proxy.Ranky.ev : Cleaned with backup
C:\Documents and Settings\Margie\Desktop\keyboard13.exe -> Downloader.VB.abj : Cleaned with backup
C:\Documents and Settings\Margie\themasterz.exe -> Hijacker.Small.hh : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.ap : Cleaned with backup
C:\drsmartload45a.exe -> Downloader.Adload.aw : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.as : Cleaned with backup
C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\installerus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\keyboard13.exe -> Downloader.VB.abj : Cleaned with backup
C:\msutil64.exe -> Proxy.Ranky : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Security\hijackthis\backups\backup-20060428-105030-227.dll -> Adware.Mirar : Cleaned with backup
C:\Security\Spyware\advpms.exe -> Logger.VB.eh : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\ac2_0009.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\dcmhelp.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\3133372D2D2D.exe -> Downloader.Adload.ai : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\keyboard13.exe -> Downloader.VB.abj : Cleaned with backup
C:\WINDOWS\keyboard14.exe -> Hijacker.StartPage.aiy : Cleaned with backup
C:\WINDOWS\mousepad13.exe -> Hijacker.VB.mo : Cleaned with backup
C:\WINDOWS\mousepad14.exe -> Hijacker.VB.mo : Cleaned with backup
C:\WINDOWS\msctrl.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\newname13.exe -> Downloader.VB.aaf : Cleaned with backup
C:\WINDOWS\newname14.exe -> Downloader.VB.ri : Cleaned with backup
C:\WINDOWS\pi1_36.exe -> Downloader.Small.cqy : Cleaned with backup
C:\WINDOWS\secure32.exe -> Backdoor.Pakes : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Proxy.Ranky.fd : Cleaned with backup
C:\WINDOWS\system32\002k3slc.dll -> Adware.Sud : Cleaned with backup
C:\WINDOWS\system32\101.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\102.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\104.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\105.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\106.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\107.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\109.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\10A.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\10C.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\10F.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\11.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\111.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\113.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\114.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\11C.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\12.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\120.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\121.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\126.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\12C.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\133.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\137.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\139.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\13A.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\13B.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\13F.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\140.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\142.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\145.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\146.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\149.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\14A.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\14B.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\14C.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\150.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\151.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\155.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\157.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\15B.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\15D.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\16.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\163.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\168.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\170.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\176.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\17B.tmp -> Proxy.Ranky.es : Cleaned with backup
C:\WINDOWS\system32\18.tmp -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\181.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\185.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\187.tmp -> Proxy.Ranky.es : Cleaned with backup
C:\WINDOWS\system32\18D.tmp -> Proxy.Ranky.es : Cleaned with backup
C:\WINDOWS\system32\18E.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\191.tmp -> Proxy.Ranky.es : Cleaned with backup
C:\WINDOWS\system32\195.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\196.tmp -> Proxy.Ranky.es : Cleaned with backup
C:\WINDOWS\system32\197.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\19A.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\19D.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1A2.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1A4.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1A6.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1A8.tmp -> Proxy.Ranky.ez : Cleaned with backup
C:\WINDOWS\system32\1AD.tmp -> Proxy.Ranky.ez : Cleaned with backup
C:\WINDOWS\system32\1AE.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1AF.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1B0.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1B1.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1B9.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1BA.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1BC.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1BE.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1C0.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1C2.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1C3.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1C4.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1C6.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1C8.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1CB.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1CC.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1CF.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\1D4.tmp -> Proxy.Ranky.eu : Cleaned with backup
C:\WINDOWS\system32\1D6.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1E1.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1F2.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\1F6.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\20.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\201.tmp -> Proxy.Ranky.ev : Cleaned with backup
C:\WINDOWS\system32\21.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\25.tmp -> Proxy.Ranky.eh : Cleaned with backup
C:\WINDOWS\system32\2A.tmp -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\2B.tmp -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\33.tmp -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\3D.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\3F.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\4.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\45.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\4A.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\5.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\58.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\5D.tmp -> Proxy.Ranky.eh : Cleaned with backup
C:\WINDOWS\system32\5F.tmp -> Proxy.Ranky.eh : Cleaned with backup
C:\WINDOWS\system32\6.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\63.tmp -> Proxy.Ranky.eh : Cleaned with backup
C:\WINDOWS\system32\9.tmp -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\9E.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\9F.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\A.tmp -> Proxy.Ranky.eh : Cleaned with backup
C:\WINDOWS\system32\A1.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\A3.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\A4.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\A8.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\AC.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\system32\ajl(2)(2).dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\B.tmp -> Proxy.Agent.iv : Cleaned with backup
C:\WINDOWS\system32\B0.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\C.tmp -> Proxy.Ranky.ef : Cleaned with backup
C:\WINDOWS\system32\C0.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\C5.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\C9.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\CE.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\comsvcs.exe -> Proxy.Agent.iv : Cleaned with backup
C:\WINDOWS\system32\D.tmp -> Proxy.Agent.iv : Cleaned with backup
C:\WINDOWS\system32\D0.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\D1.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\D9.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\DA.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\dllsys64.exe -> Proxy.Ranky : Cleaned with backup
C:\WINDOWS\system32\E1.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\E2.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\E3.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\E4.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\E7.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\EB.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\ED.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\EE.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\EF.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\eraseme_11136.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\eraseme_52116.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\F.tmp -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\F1.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F3.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F4.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F6.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F7.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F8.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\F9.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\FD.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\FF.tmp -> Proxy.Ranky.er : Cleaned with backup
C:\WINDOWS\system32\fudrclnr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ivxmontr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\job32.exe -> Proxy.Ranky.el : Cleaned with backup
C:\WINDOWS\system32\ppsi32.exe -> Backdoor.Small.kc : Cleaned with backup
C:\WINDOWS\system32\rOsppp(2).dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\RpcSs.exe -> Worm.Opanki.as : Cleaned with backup
C:\WINDOWS\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:37:29 PM, on 4/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\msinit.exe
C:\WINDOWS\security\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Security\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\security\lsass.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\security\lsass.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Microsoft ® Windows Network Protection Server] C:\WINDOWS\security\lsass.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129407860093
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Microsoft Initialization (msinit) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: Windows Network Protection (NetServ) - Unknown owner - C:\WINDOWS\security\lsass.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 28 April 2006 - 10:45 AM

We still need to do some cleaning

Start > Run

In the box, type in services.msc then hit <enter> (or click OK)

In the Name column, look for Windows Network Protection

<Double-click> it.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled, then click Apply then OK.

Do the same for Microsoft Initialization

Next Scan with hijackthis and put a check beside these lines and choose FIX

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\security\lsass.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\security\lsass.exe

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O20 - AppInit_DLLs: iniwin32.dll

O23 - Service: Microsoft Initialization (msinit) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: Windows Network Protection (NetServ) - Unknown owner - C:\WINDOWS\security\lsass.exe

Reboot and a new hijackthis log please, almost there.

#5 Mike Camden

Mike Camden

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 April 2006 - 12:10 PM

Siggyx,
You're awesome, man! I think we're there. Here's my Hi jack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:17:21 PM, on 4/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Security\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129407860093
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.pictur...loadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 28 April 2006 - 12:22 PM

Almost there missed 1 :ph34r:

Start > Run

In the box, type in services.msc then hit <enter> (or click OK)

In the Name column, look for Remote Procedure Call

<Double-click> it.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled, then click Apply then OK.

Then have hijackthis remove this line

O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)

Then a reboot and a new hijackthis log to be sure, how is it running after the reboot?

#7 Mike Camden

Mike Camden

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 02 May 2006 - 06:37 AM

Siggyx, Thanks again for all of the help. I didn't get a chance to post on Friday, but all looks good now. Between your help and a Hi-Jack This tutorial I found, I was able to learn quite a bit about how to get rid of some of these nastys in the future. thanks again, Mike

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 02 May 2006 - 02:18 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·