WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I-Search and VX2.Look2Me

Started by RabbitFly , May 14 2006 02:17 PM

This topic is locked

35 replies to this topic

#1 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 14 May 2006 - 02:17 PM

Hello I been trying for weeks now to get rid off these.

Symptons: Pop-ups various sites gambling and anit spyware sites (including Errorsafe), Task Manager closes by itself when I try to open it (stays for a second maybe).

been doing scans with Spyware Doctor, and Norton Antivirus 2006 and kept removing stuff, but they keep reappering. Read some manual removing guides for I-Search, but files mentioned in them does not exist on my computer.

edit: Note about Spyware doctor, when trying to remove these two it always says it has removed something from memory and needs to reboot, by the time I have rebooted they are both back.

Hijack This Log:

Logfile of HijackThis v1.99.0
Scan saved at 10:07:28 PM, on 5/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\CTHELPER.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe
C:\WINNT\system32\WINSUPDATER.EXE
C:\defender19a.exe
C:\WINNT\system32\WUAUCLTS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe
C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Winamp\winamp.exe
C:\WINNT\system32\CTPdeSrv.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMDrive] "E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"
O4 - HKLM\..\Run: [DVDCTray] E:\Program Files\FarStone\VDPPro\dvdcreator\DVDCTrayIconShl.exe
O4 - HKLM\..\Run: [VirtualDrive] E:\Program Files\FarStone\VDPPro\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [Microsoft winsupdater] WINSUPDATER.EXE
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wuauclts] WUAUCLTS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "g:\spill\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Salt] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Hqgxpug] C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKCU\..\Run: [OLE] C:\WINNT\scchost.exe
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [wuauclts] WUAUCLTS.EXE
O4 - HKCU\..\RunOnce: [Microsoft winsupdater] WINSUPDATER.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123446832140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147604108703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I really appreciate all the help I can get.
Thanks in advance.

Edited by RabbitFly, 14 May 2006 - 02:21 PM.

Advertisements

Register to Remove

#2 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 15 May 2006 - 01:42 PM

Ok so I searched the forums some more and found a link to a look2me destroyer, I ran it and it didnt seem to help much, here is the log: Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 15.05.2006 20:53:02 Infected! C:\WINNT\system32\o8roli9318.dll Infected! C:\WINNT\system32\df16gt.dLL Infected! C:\WINNT\system32\sdrialui.dll Infected! C:\WINNT\system32\guard.tmp Attempting to delete infected files... Attempting to delete: C:\WINNT\system32\df16gt.dLL C:\WINNT\system32\df16gt.dLL could not be deleted! Attempting to delete: C:\WINNT\system32\sdrialui.dll C:\WINNT\system32\sdrialui.dll could not be deleted! Attempting to delete: C:\WINNT\system32\guard.tmp C:\WINNT\system32\guard.tmp could not be deleted! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A56BD65B-71BA-4E88-8B8A-0CF83C309A60}" HKCR\Clsid\{A56BD65B-71BA-4E88-8B8A-0CF83C309A60} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded thanks again

#3 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 16 May 2006 - 04:31 PM

Reboot and post a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#4 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 16 May 2006 - 11:18 PM

Norton Antivirus has lately been reporting and deleting a hookerdll.dll
not sure if that helps, but here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 7:15:25 AM, on 5/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe
C:\defender19a.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe
C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMDrive] "E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"
O4 - HKLM\..\Run: [DVDCTray] E:\Program Files\FarStone\VDPPro\dvdcreator\DVDCTrayIconShl.exe
O4 - HKLM\..\Run: [VirtualDrive] E:\Program Files\FarStone\VDPPro\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "g:\spill\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Salt] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Hqgxpug] C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKCU\..\Run: [OLE] C:\WINNT\scchost.exe
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123446832140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147604108703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

again thanks for your help

#5 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 17 May 2006 - 05:42 AM

Important: Do this before any fix.

You need to update your version of HijackThis. Open HJT> Open Misc Tools> Pull the side bar down> Check for update online. If that doesn't work, download it from my signature and remove the hijackThis.exe you have now.

Also please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

After the above:

This is what I suggest you do.

Download CWShredder from my signature below. Unzip it on the desktop.
Open CWShredder and with ALL other windows closed, click fix.

Go here and run the online scan, allow it to delete whatever it finds:

Panda ActiveScan

Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Note any thing that can't be fixed

Reboot:

Next:

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#6 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 17 May 2006 - 03:35 PM

ok so I followed all the steps CWShredder didnt find anything. Spybot log: checks: --- Report generated: 2006-05-17 22:17 --- AzeSearch: Uninstall settings (Registry key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AZESearch AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Albums.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Artists.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\AudioBooks.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Collections.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Mp3 Search.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\New releases.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Ratings.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Soundtracks.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Carnival Casino.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Club Dice Casino.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Monaco Gold Casino.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\New York Casino.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\USA Casino.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\You Bingo.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Aces & Faces.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Baccarat.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Black Jack.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Caribbean Poker.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Casino War.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Cinerama.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Craps.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Deuces Wild.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Diamond Valley.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Fruit Mania.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Gold Rally.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Jacks or Better.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Magic Slots.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Mega Jacks.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Pai Gow Poker.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Red Dog Poker.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Roulette.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\SafeCracer.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Sic Bo.url AzeSearch: Link (File, nothing done) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Wall St. Fever.url Command Service: Data (File, nothing done) C:\windows\newname.dat Command Service: Autorun settings (ntdll.dll) (Registry value, nothing done) HKEY_USERS\S-1-5-21-583907252-2052111302-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntdll.dll Command Service: Program file (File, nothing done) C:\WINNT\SYSTEM32\ctfmon.exe ErrorSafe: Settings (Registry key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload Smitfraud-C.: Data (File, nothing done) c:\windows\drsmartload2.dat Smitfraud-C.: Data (File, nothing done) c:\windows\drsmartload.dat Smitfraud-C.: Data (File, nothing done) c:\windows\teller2.chk Spy Sheriff: Data (File, nothing done) C:\WINNT\hosts Network Monitor: Program directory (Directory, nothing done) C:\Documents and Settings\Default User\Application Data\NetMon\ Alexa Related: Link (Replace file, nothing done) C:\WINNT\Web\RELATED.HTM Torpig: Temporary file (File, nothing done) C:\WINNT\Temp\$_2341234.TMP Avenue A, Inc.: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done) ISearchTech: Bookmark (Internet Explorer: Administrator) (Bookmark, nothing done) ISearchTech: Bookmark (Internet Explorer: Administrator) (Bookmark, nothing done) --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2006-05-17 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-05-12 Includes\Cookies.sbi (*) 2006-05-12 Includes\Dialer.sbi (*) 2006-05-12 Includes\Hijackers.sbi (*) 2006-05-12 Includes\Keyloggers.sbi (*) 2006-05-15 Includes\Malware.sbi (*) 2006-05-12 Includes\PUPS.sbi (*) 2006-05-12 Includes\Revision.sbi (*) 2006-05-12 Includes\Security.sbi (*) 2006-05-12 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-05-12 Includes\Trojans.sbi (*) fixes: --- Report generated: 2006-05-17 22:17 --- AzeSearch: Uninstall settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AZESearch AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Albums.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Artists.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\AudioBooks.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Collections.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Mp3 Search.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\New releases.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Ratings.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Favorites\Music and Movies\Soundtracks.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Carnival Casino.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Club Dice Casino.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Monaco Gold Casino.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\New York Casino.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\USA Casino.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\You Bingo.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Aces & Faces.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Baccarat.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Black Jack.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Caribbean Poker.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Casino War.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Cinerama.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Craps.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Deuces Wild.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Diamond Valley.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Fruit Mania.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Gold Rally.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Jacks or Better.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Magic Slots.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Mega Jacks.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Pai Gow Poker.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Red Dog Poker.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Roulette.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\SafeCracer.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Sic Bo.url AzeSearch: Link (File, fixed) C:\Documents and Settings\Administrator\Favorites\Games\Gambling\Wall St. Fever.url Command Service: Data (File, fixed) C:\windows\newname.dat Command Service: Autorun settings (ntdll.dll) (Registry value, fixed) HKEY_USERS\S-1-5-21-583907252-2052111302-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntdll.dll Command Service: Program file (File, fixed) C:\WINNT\SYSTEM32\ctfmon.exe ErrorSafe: Settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload Smitfraud-C.: Data (File, fixed) c:\windows\drsmartload2.dat Smitfraud-C.: Data (File, fixed) c:\windows\drsmartload.dat Smitfraud-C.: Data (File, fixed) c:\windows\teller2.chk Spy Sheriff: Data (File, fixed) C:\WINNT\hosts Network Monitor: Program directory (Directory, fixed) C:\Documents and Settings\Default User\Application Data\NetMon\ Alexa Related: Link (Replace file, fixed) C:\WINNT\Web\RELATED.HTM Torpig: Temporary file (File, fixed) C:\WINNT\Temp\$_2341234.TMP Avenue A, Inc.: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) ISearchTech: Bookmark (Internet Explorer: Administrator) (Bookmark, fixed) ISearchTech: Bookmark (Internet Explorer: Administrator) (Bookmark, fixed) --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2006-05-17 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-05-12 Includes\Cookies.sbi (*) 2006-05-12 Includes\Dialer.sbi (*) 2006-05-12 Includes\Hijackers.sbi (*) 2006-05-12 Includes\Keyloggers.sbi (*) 2006-05-15 Includes\Malware.sbi (*) 2006-05-12 Includes\PUPS.sbi (*) 2006-05-12 Includes\Revision.sbi (*) 2006-05-12 Includes\Security.sbi (*) 2006-05-12 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-05-12 Includes\Trojans.sbi (*) and resident: 5/17/2006 10:17:56 PM Denied value "ntdll.dll" (new data: "") deleted in System Startup user entry! 5/17/2006 11:12:07 PM Denied value "Search Bar" (new data: "") deleted in Browser page! 5/17/2006 11:12:10 PM Denied value "Start Page" (new data: "") changed in Browser page! Ad-aware log: Ad-Aware SE Build 1.06r1 Logfile Created on:Wednesday, May 17, 2006 10:22:59 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R108 17.05.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):9 total references CoolWebSearch(TAC index:10):6 total references H@tKeysH@@k(TAC index:5):1 total references Tracking Cookie(TAC index:3):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for low-risk threats Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 5-17-2006 10:22:59 PM - Scan started. (Full System Scan) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 316 ThreadCreationTime : 5-17-2006 7:57:04 PM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 348 ThreadCreationTime : 5-17-2006 7:57:34 PM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINNT\SYSTEM32\ ProcessID : 368 ThreadCreationTime : 5-17-2006 7:57:36 PM BasePriority : High #:4 [services.exe] FilePath : C:\WINNT\system32\ ProcessID : 400 ThreadCreationTime : 5-17-2006 7:57:37 PM BasePriority : Normal FileVersion : 5.00.2195.7035 ProductVersion : 5.00.2195.7035 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINNT\system32\ ProcessID : 412 ThreadCreationTime : 5-17-2006 7:57:37 PM BasePriority : Normal FileVersion : 5.00.2195.7011 ProductVersion : 5.00.2195.7011 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : LSA Executable and Server DLL (Export Version) InternalName : lsasrv.dll and lsass.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : lsasrv.dll and lsass.exe #:6 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 588 ThreadCreationTime : 5-17-2006 7:57:41 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:7 [spoolsv.exe] FilePath : C:\WINNT\system32\ ProcessID : 616 ThreadCreationTime : 5-17-2006 7:57:41 PM BasePriority : Normal FileVersion : 5.00.2195.7059 ProductVersion : 5.00.2195.7059 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolss.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : spoolss.exe #:8 [aluschedulersvc.exe] FilePath : C:\Program Files\Symantec\LiveUpdate\ ProcessID : 644 ThreadCreationTime : 5-17-2006 7:57:41 PM BasePriority : Normal FileVersion : 3.0.0.160 ProductVersion : 3.0.0.160 ProductName : LiveUpdate CompanyName : Symantec Corporation FileDescription : Automatic LiveUpdate Scheduler Service InternalName : Automatic LiveUpdate Scheduler Service LegalCopyright : Copyright © 1996-2005 Symantec Corporation OriginalFilename : ALUSchedulerSvc.exe #:9 [ccsetmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 668 ThreadCreationTime : 5-17-2006 7:57:42 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Settings Manager Service InternalName : ccSetMgr LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccSetMgr.exe #:10 [ctsvccda.exe] FilePath : C:\WINNT\system32\ ProcessID : 696 ThreadCreationTime : 5-17-2006 7:57:44 PM BasePriority : Normal FileVersion : 1.0.1.0 ProductVersion : 1.0.0.0 ProductName : Creative Service for CDROM Access CompanyName : Creative Technology Ltd FileDescription : Creative Service for CDROM Access InternalName : CTsvcCDAEXE LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved. OriginalFilename : CTsvcCDA.EXE #:11 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 716 ThreadCreationTime : 5-17-2006 7:57:45 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:12 [mdm.exe] FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\ ProcessID : 752 ThreadCreationTime : 5-17-2006 7:57:46 PM BasePriority : Normal FileVersion : 7.00.9064.9150 ProductVersion : 7.00.9064.9150 ProductName : Microsoft Development Environment CompanyName : Microsoft Corporation FileDescription : Machine Debug Manager InternalName : mdm.exe LegalCopyright : Copyright © Microsoft Corp. 1997-2000 OriginalFilename : mdm.exe #:13 [navapsvc.exe] FilePath : C:\Program Files\Norton AntiVirus\ ProcessID : 800 ThreadCreationTime : 5-17-2006 7:57:47 PM BasePriority : Normal FileVersion : 11.0.16.2 ProductVersion : 11.0.16 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Auto-Protect Service InternalName : NAVAPSVC LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved. OriginalFilename : NAVAPSVC.EXE #:14 [npfmntor.exe] FilePath : C:\Program Files\Norton AntiVirus\IWP\ ProcessID : 836 ThreadCreationTime : 5-17-2006 7:57:50 PM BasePriority : Normal FileVersion : 11.0.16.2 ProductVersion : 11.0.16 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Firewall Install Monitor InternalName : NPFMonitor LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved. OriginalFilename : NPFMonitor.EXE #:15 [nvsvc32.exe] FilePath : C:\WINNT\system32\ ProcessID : 876 ThreadCreationTime : 5-17-2006 7:57:51 PM BasePriority : Normal FileVersion : 6.14.10.8194 ProductVersion : 6.14.10.8194 ProductName : NVIDIA Driver Helper Service, Version 81.94 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 81.94 InternalName : NVSVC LegalCopyright : © NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:16 [regsvc.exe] FilePath : C:\WINNT\system32\ ProcessID : 904 ThreadCreationTime : 5-17-2006 7:57:52 PM BasePriority : Normal FileVersion : 5.00.2195.6701 ProductVersion : 5.00.2195.6701 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Remote Registry Service InternalName : regsvc LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : REGSVC.EXE #:17 [mstask.exe] FilePath : C:\WINNT\system32\ ProcessID : 924 ThreadCreationTime : 5-17-2006 7:57:54 PM BasePriority : Normal FileVersion : 4.71.2195.6972 ProductVersion : 4.71.2195.6972 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright © Microsoft Corp. 1997 OriginalFilename : mstask.exe #:18 [sndsrvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 952 ThreadCreationTime : 5-17-2006 7:57:56 PM BasePriority : Normal FileVersion : 5.5.1.6 ProductVersion : 5.5 ProductName : Symantec Security Drivers CompanyName : Symantec Corporation FileDescription : Network Driver Service InternalName : SndSrvc LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation OriginalFilename : SndSrvc.exe #:19 [spbbcsvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\ ProcessID : 1020 ThreadCreationTime : 5-17-2006 7:57:59 PM BasePriority : Normal FileVersion : 1,0,1,47 ProductVersion : 1,0,1,47 ProductName : SPBBC CompanyName : Symantec Corporation FileDescription : SPBBC Service InternalName : SPBBCSvc LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved. OriginalFilename : SPBBCSvc.exe #:20 [starwindservice.exe] FilePath : E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\ ProcessID : 1052 ThreadCreationTime : 5-17-2006 7:58:01 PM BasePriority : Normal FileVersion : 2.6.1 Build 0x20050401 ProductVersion : 2.6.1 Build 0x20050401 ProductName : StarWind CompanyName : Rocket Division Software FileDescription : StarWind iSCSI Target (Alcohol Edition) InternalName : StarWind LegalCopyright : Copyright © Rocket Division Software 2003-2005. All rights reserved. OriginalFilename : StarWind #:21 [symlcsvc.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\ ProcessID : 1068 ThreadCreationTime : 5-17-2006 7:58:02 PM BasePriority : Normal FileVersion : 1, 8, 54, 419 ProductVersion : 1, 8, 54, 419 ProductName : Symantec Core Component CompanyName : Symantec Corporation FileDescription : Symantec Core Component InternalName : symlcsvc LegalCopyright : Copyright © 2003 OriginalFilename : symlcsvc.exe #:22 [winmgmt.exe] FilePath : C:\WINNT\System32\WBEM\ ProcessID : 1128 ThreadCreationTime : 5-17-2006 7:58:08 PM BasePriority : Normal FileVersion : 1.50.1085.0100 ProductVersion : 1.50.1085.0100 ProductName : Windows Management Instrumentation CompanyName : Microsoft Corporation FileDescription : Windows Management Instrumentation InternalName : WINMGMT LegalCopyright : Copyright © Microsoft Corp. 1995-1999 #:23 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 1196 ThreadCreationTime : 5-17-2006 7:58:09 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:24 [ccevtmgr.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 1208 ThreadCreationTime : 5-17-2006 7:58:10 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec Event Manager Service InternalName : ccEvtMgr LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccEvtMgr.exe #:25 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 1240 ThreadCreationTime : 5-17-2006 7:58:11 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:26 [explorer.exe] FilePath : C:\WINNT\ ProcessID : 1496 ThreadCreationTime : 5-17-2006 8:06:50 PM BasePriority : Normal FileVersion : 5.00.3700.6690 ProductVersion : 5.00.3700.6690 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : EXPLORER.EXE #:27 [ccapp.exe] FilePath : C:\Program Files\Common Files\Symantec Shared\ ProcessID : 1436 ThreadCreationTime : 5-17-2006 8:06:53 PM BasePriority : Normal FileVersion : 103.0.7.2 ProductVersion : 103.0.7.2 ProductName : Client and Host Security Platform CompanyName : Symantec Corporation FileDescription : Symantec User Session InternalName : ccApp LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved. OriginalFilename : ccApp.exe #:28 [tcaudiag.exe] FilePath : C:\WINNT\system32\ ProcessID : 1696 ThreadCreationTime : 5-17-2006 8:06:54 PM BasePriority : Normal FileVersion : 6, 1, 1, 1 ProductVersion : 6, 1, 1, 1 ProductName : TouchDown Application FileDescription : TouchDown MFC Application InternalName : TouchDown LegalCopyright : Copyright © 2000-2003 OriginalFilename : TouchDown.EXE #:29 [cthelper.exe] FilePath : C:\WINNT\system32\ ProcessID : 1660 ThreadCreationTime : 5-17-2006 8:06:54 PM BasePriority : Normal FileVersion : 1, 0, 1, 2 ProductVersion : 1, 0, 1, 2 ProductName : CtHelper Application CompanyName : Creative Technology Ltd FileDescription : CtHelper Application InternalName : CtHelper LegalCopyright : Copyright © 2002-03 OriginalFilename : CtHelper.EXE #:30 [rundll32.exe] FilePath : C:\WINNT\system32\ ProcessID : 1428 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Run a DLL as an App InternalName : rundll LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : RUNDLL.EXE #:31 [ituneshelper.exe] FilePath : E:\Program Files\iTunes\ ProcessID : 396 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 6.0.1.3 ProductVersion : 6.0.1.3 ProductName : iTunes CompanyName : Apple Computer, Inc. FileDescription : iTunesHelper Module InternalName : iTunesHelper LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved. OriginalFilename : iTunesHelper.exe #:32 [qttask.exe] FilePath : C:\Program Files\QuickTime\ ProcessID : 1480 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 7.0.3 ProductVersion : QuickTime 7.0.3 ProductName : QuickTime CompanyName : Apple Computer, Inc. FileDescription : QuickTime Task InternalName : QuickTime Task LegalCopyright : Copyright Apple Computer, Inc. 1989-2005 OriginalFilename : QTTask.exe #:33 [lvcomsx.exe] FilePath : C:\WINNT\system32\ ProcessID : 1508 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 8.4.7.1036 ProductVersion : 8.4.7.1036 ProductName : Logitech QuickCam CompanyName : Logitech Inc. FileDescription : LVCom Server InternalName : LVComS.exe LegalCopyright : © 1996-2005 Logitech. All rights reserved. OriginalFilename : LVComS.exe #:34 [logitray.exe] FilePath : E:\Program Files\Logitech\Video\ ProcessID : 1476 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 8.4.7.1034 ProductVersion : 8.4.7.1034 ProductName : Logitech QuickCam CompanyName : Logitech Inc. FileDescription : ImageStudio Tray Application InternalName : LogiTray.exe LegalCopyright : © 1996-2005 Logitech. All rights reserved. OriginalFilename : LogiTray.exe #:35 [realsched.exe] FilePath : C:\Program Files\Common Files\Real\Update_OB\ ProcessID : 1520 ThreadCreationTime : 5-17-2006 8:06:55 PM BasePriority : Normal FileVersion : 0.1.0.3492 ProductVersion : 0.1.0.3492 ProductName : RealPlayer (32-bit) CompanyName : RealNetworks, Inc. FileDescription : RealNetworks Scheduler InternalName : schedapp LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004 LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc. OriginalFilename : realsched.exe #:36 [daemon.exe] FilePath : E:\Program Files\DAEMON Tools\ ProcessID : 1248 ThreadCreationTime : 5-17-2006 8:06:56 PM BasePriority : Normal #:37 [rdtask.exe] FilePath : E:\Program Files\FarStone\VDPPro\VHD\ ProcessID : 1752 ThreadCreationTime : 5-17-2006 8:06:57 PM BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : RDTask ???? FileDescription : RDTask Microsoft ??????? InternalName : RDTask LegalCopyright : ???? © 2003 OriginalFilename : RDTask.EXE #:38 [msnmsgr.exe] FilePath : C:\Program Files\MSN Messenger\ ProcessID : 1844 ThreadCreationTime : 5-17-2006 8:07:10 PM BasePriority : Normal FileVersion : 7.0.0816 ProductVersion : 7.0.0816 ProductName : MSN Messenger CompanyName : Microsoft Corporation FileDescription : MSN Messenger InternalName : msnmsgr LegalCopyright : Copyright © Microsoft Corporation 1997-2005 LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msnmsgr.exe #:39 [ipodservice.exe] FilePath : C:\Program Files\iPod\bin\ ProcessID : 1488 ThreadCreationTime : 5-17-2006 8:07:14 PM BasePriority : Normal FileVersion : 6.0.1.3 ProductVersion : 6.0.1.3 ProductName : iTunes CompanyName : Apple Computer, Inc. FileDescription : iPodService Module InternalName : iPodService LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved. OriginalFilename : iPodService.exe #:40 [ctdetect.exe] FilePath : E:\Program Files\Creative\MediaSource\Detector\ ProcessID : 1856 ThreadCreationTime : 5-17-2006 8:07:16 PM BasePriority : Normal FileVersion : 3.0.2.0 ProductVersion : 3.0.0.0 ProductName : Creative MediaSource Detector CompanyName : Creative Technology Ltd FileDescription : Creative MediaSource Detector InternalName : CTDetect LegalCopyright : Copyright © Creative Technology Ltd., 2003-2004. All rights reserved. OriginalFilename : CTDetect.EXE #:41 [rundll.exe] FilePath : C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\ ProcessID : 2016 ThreadCreationTime : 5-17-2006 8:07:30 PM BasePriority : Normal #:42 [m?dtc.exe] FilePath : C:\Documents and Settings\Administrator\My Documents\?ssembly\ ProcessID : 1884 ThreadCreationTime : 5-17-2006 8:07:49 PM BasePriority : Normal #:43 [teatimer.exe] FilePath : E:\Program Files\Spybot - Search & Destroy\ ProcessID : 2236 ThreadCreationTime : 5-17-2006 8:08:35 PM BasePriority : Idle FileVersion : 1, 4, 0, 2 ProductVersion : 1, 4, 0, 3 ProductName : Spybot - Search & Destroy CompanyName : Safer Networking Limited FileDescription : System settings protector InternalName : TeaTimer LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten. LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen. OriginalFilename : TeaTimer.exe Comments : Schützt Systemeinstellungen vor ungewollten Änderungen. #:44 [fxsvr2.exe] FilePath : E:\Program Files\Logitech\Video\ ProcessID : 2240 ThreadCreationTime : 5-17-2006 8:08:37 PM BasePriority : Normal FileVersion : 8.4.7.1034 ProductVersion : 8.4.7.1034 ProductName : Logitech QuickCam CompanyName : Logitech Inc. FileDescription : QuickCam Framework Server InternalName : FxSvr.EXE LegalCopyright : © 1996-2005 Logitech. All rights reserved. OriginalFilename : FxSvr.EXE #:45 [ad-aware.exe] FilePath : E:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 2000 ThreadCreationTime : 5-17-2006 8:19:25 PM BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved #:46 [notepad.exe] FilePath : C:\WINNT\system32\ ProcessID : 2540 ThreadCreationTime : 5-17-2006 8:19:52 PM BasePriority : Normal FileVersion : 5.00.2140.1 ProductVersion : 5.00.2140.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Notepad InternalName : Notepad LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : NOTEPAD.EXE Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-583907252-2052111302-839522115-500\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 9 Objects found so far: 9 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 9 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@cgi-bin[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:1 Value : Cookie:administrator@imrworldwide.com/cgi-bin Expires : 1-19-2009 1:00:00 AM LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@~~local~~[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:3 Value : Cookie:administrator@~~local~~/ Expires : 5-31-2006 10:19:38 PM LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 11 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : File Data : mvpml9711.dll TAC Rating : 10 Category : Malware Comment : Object : C:\WINNT\system32\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 12 Deep scanning and examining files (D:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 12 Deep scanning and examining files (E:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» H@tKeysH@@k Object Recognized! Type : File Data : hotkey.dat TAC Rating : 5 Category : Data Miner Comment : Object : E:\Program Files\Trainer Maker Kit\ Disk Scan Result for E:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 13 Deep scanning and examining files (F:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for F:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 13 Deep scanning and examining files (G:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for G:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 13 Scanning Hosts file...... Hosts file location:"C:\WINNT\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 13 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\downloadmanager CoolWebSearch Object Recognized! Type : RegValue Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\search\searchproperties\en-us Value : Panel@Web CoolWebSearch Object Recognized! Type : RegValue Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Search Bar CoolWebSearch Object Recognized! Type : RegData Data : about:blank TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Start Page Data : about:blank CoolWebSearch Object Recognized! Type : Folder TAC Rating : 10 Category : Malware Comment : CoolWebSearch Object : C:\Documents and Settings\Administrator\Favorites\Pharmacy Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 5 Objects found so far: 18 10:44:12 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:21:12.907 Objects scanned:251278 Objects identified:18 Objects ignored:0 New critical objects:18

Edited by RabbitFly, 17 May 2006 - 03:39 PM.

#7 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 17 May 2006 - 03:37 PM

ops almost forgot the active scan report.

Incident Status Location

Virus:Trj/Clicker.PZ Disinfected C:\defender19a.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\My Documents\a?sembly\rundll.exe

And had to edit and repost hijack log.. hehe reply became too big

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:22:22 PM, on 5/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe
C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
C:\WINNT\scchost.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMDrive] "E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"
O4 - HKLM\..\Run: [DVDCTray] E:\Program Files\FarStone\VDPPro\dvdcreator\DVDCTrayIconShl.exe
O4 - HKLM\..\Run: [VirtualDrive] E:\Program Files\FarStone\VDPPro\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "g:\spill\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Salt] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Hqgxpug] C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [OLE] C:\WINNT\scchost.exe
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123446832140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147604108703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

note: Norton keeps telling me I got HookerDll.Dll and reports it as Infostealer.Tarno.D and that it is unable to repair this file.

still have popups and, but task manager seems to be working

hope you can pinpoint my problem, and yet again thanks for all the help

Edited by RabbitFly, 17 May 2006 - 03:43 PM.

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 17 May 2006 - 04:12 PM

I suggest you do this:

You need To disable TeaTimer, it can stop our fix.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [defender] C:\\defender19a.exe

O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Salt] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe" -vt yazr

O4 - HKCU\..\Run: [Hqgxpug] C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe

O4 - HKCU\..\Run: [OLE] C:\WINNT\scchost.exe

O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete these Files if listed:
C:\defender19a.exe
C:\WINNT\scchost.exe

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 17 May 2006 - 06:19 PM

ok I ran hijackthis and fixed the ones you told me to, then deleting scchost.exe, destroyer seemed to be gone. One note though. The pop ups were there after hijackthis, but have quit after I ran ATF Cleaner.

here is my latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:32 AM, on 5/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMDrive] "E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"
O4 - HKLM\..\Run: [DVDCTray] E:\Program Files\FarStone\VDPPro\dvdcreator\DVDCTrayIconShl.exe
O4 - HKLM\..\Run: [VirtualDrive] E:\Program Files\FarStone\VDPPro\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "g:\spill\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123446832140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147604108703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 17 May 2006 - 06:24 PM

Good Job

Log looks good

How is it running any issues?

1.Do one of the following:
In Windows 98/Me/2000, on the Windows desktop, double-click the My Computer icon.
In Windows XP, on the taskbar, click Start > My Computer.

2.Do one of the following:
In Windows 98, on the View menu, click Folder Options.
In Windows Me/2000/XP, on the Tools menu, click Folder Options.
On the View tab, check Hide file extensions for known file types.

3.Do one of the following:
In Windows 98, in the Advanced Settings box, under the "Hidden files" folder, unclick Show all files.
In Windows Me/2000/XP, check Hide protected operating system files. Then, under the "Hidden files" folder, unclick Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Advertisements

Register to Remove

#11 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 17 May 2006 - 09:13 PM

thats just it, I am a fairly skilled computer user (had computers for the bigger part of my life) and have had an 2 year education (so far anyways). So I usually stay away from and normally don't get much viruses. And I have no idea how I got these. However I tend to download alot of different things, and from time to other that involves going to risky websites. I greatly thank you, this had me going nuts for a while. It's a pain in the but having to close 20 windows every other minute I am out surfing. and btw is there a special reason you want me to hide file extensions, hidden files and folders? I usually always have them shown, I feel more in control that way.

Edited by RabbitFly, 17 May 2006 - 09:15 PM.

#12 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 18 May 2006 - 11:33 AM

ok so it seemed that everything was ok, but I activated teatimer again and all of a sudden I got alot of programs trying to change registry amongst them were ctf and destroyer... could you please take another look through my log?

here is my new HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:30:48 PM, on 5/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\explorer.exe
E:\Program Files\ABC\abc.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMDrive] "E:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"
O4 - HKLM\..\Run: [DVDCTray] E:\Program Files\FarStone\VDPPro\dvdcreator\DVDCTrayIconShl.exe
O4 - HKLM\..\Run: [VirtualDrive] E:\Program Files\FarStone\VDPPro\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "g:\spill\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Salt] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\ASEMBL~1\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Hqgxpug] C:\Documents and Settings\Administrator\My Documents\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [OLE] C:\WINNT\scchost.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123446832140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147604108703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I can see many of the entries I removed after you told me to have come back.. and I wonder how

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 18 May 2006 - 03:19 PM

Only for Windows XP and Windows 2000

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Posted Image

______________________________

Please download the trial version of Ewido anti-malware 3.5 from here:
http://www.ewido.net/en/download/

Install Ewido anti-malware.
When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
The program will prompt you to update. Click the Ok button.
The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.
Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido. Don't Run It Yet.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named:
c:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

Edited by LDTate, 18 May 2006 - 03:20 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 RabbitFly

Authentic Member

Authentic Member
20 posts

Posted 18 May 2006 - 07:41 PM

the scan took only a couple of seconds.. so I am not sure if something is wrong or not. rapport.txt: SmitFraudFix v2.45 Scan done at 3:36:44.81, Fri 05/19/2006 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\r.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\WINNT\\Web\\desktop.html" "SubscribedURL"="C:\\WINNT\\Web\\desktop.html" "FriendlyName"="Security" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 18 May 2006 - 07:45 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing
Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:

c:\rapport.txt
Ewido log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme