Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijackthis log - someone please review.

Started by lazyvista , Sep 23 2006 03:54 PM

  • Please log in to reply
10 replies to this topic

#1 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 23 September 2006 - 03:54 PM

Logfile of HijackThis v1.99.1 Scan saved at 4:40:26 PM, on 9/23/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmprint.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\w32svc.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\{5C278563-035F-1033-0226-010928190001}\Update.exe C:\dfndrff_14.exe C:\WINNT\Duce6.exe C:\WINNT\win32093154609392.exe C:\WINNT\ms059392315460.exe C:\WINNT\ms063923154609.exe E:\Pictures\HijackThis.exe R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series/DADS2800/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P49 "EPSON Stylus Photo R300 Series/DADS2800/Session 1" /O5 "TS001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P60 "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1" /O5 "TS003" /M "Stylus Photo R300" O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe O4 - HKLM\..\Run: [newname] c:\\nwnmff_14.exe O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\yshgnv.exe reg_run O4 - HKLM\..\Run: [ms063923154609] C:\WINNT\ms063923154609.exe O4 - HKLM\..\Run: [sys024609392315] C:\WINNT\sys024609392315.exe O4 - HKLM\..\Run: [win32093154609392] C:\WINNT\win32093154609392.exe O4 - HKLM\..\Run: [ms059392315460] C:\WINNT\ms059392315460.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll O23 - Service: Apache - Unknown owner - E:\RECYCLER\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Security Updates Manager (secupdates) - Unknown owner - C:\WINNT\system32\w32svc.exe

    Advertisements

Register to Remove

#2 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 24 September 2006 - 07:10 PM

Hi,

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti malware it is a free version of the program.
  • Install ewido anti malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti malware.

Reboot, and post the ewido report, as well as a new HijackThis log.

Danny
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

#3 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 26 September 2006 - 07:00 PM

--------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 3:18:16 PM 9/25/2006 + Scan result: C:\Program Files\Common Files\{5C278563-035F-1033-0226-010928190001}\Update.exe -> Adware.Agent : Cleaned. [564] C:\Program Files\Common Files\{5C278563-035F-1033-0226-010928190001}\Update.exe -> Adware.Agent : Error during cleaning. E:\UserHomes\STEVE\Downloads\whisset102.exe/CD_Load.exe -> Adware.Cydoor : Cleaned. HKU\.DEFAULT\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned. HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned. HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\05QZO1E7\shopbiz[1].exe -> Adware.MDH : Cleaned. C:\WINNT\Temp\shopbiz.exe -> Adware.MDH : Cleaned. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C9Y3W963\mediaview[1].cab/amm06.ocx -> Adware.MediaMotor : Cleaned. E:\Music\backupofduron1000\Documents and Settings\steve.ROBERTS\Desktop\Downloads\elfbowling3.exe/cccc20030730.exe/NHInstall.exe -> Adware.NavExcel : Cleaned. E:\Music\backupofduron1000\Documents and Settings\steve.ROBERTS\Desktop\Downloads\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/NHInstall.exe -> Adware.NavExcel : Cleaned. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\85230XYR\bbqa[1].cab/cvn0.exe -> Adware.SearchAssistant : Cleaned. C:\WINNT\Temp\F3A4.tmp/cvn0.exe -> Adware.SearchAssistant : Cleaned. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\85230XYR\bbqa[1].cab/wfxqhv.exe -> Adware.Suggestor : Cleaned. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\85230XYR\bbqa[1].cab/zqskw.exe -> Adware.Suggestor : Cleaned. C:\WINNT\Temp\F3A4.tmp/wfxqhv.exe -> Adware.Suggestor : Cleaned. C:\WINNT\Temp\F3A4.tmp/zqskw.exe -> Adware.Suggestor : Cleaned. HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned. HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned. HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned. HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned. HKU\S-1-5-21-484763869-764733703-1957994488-500\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned. HKU\S-1-5-21-484763869-764733703-1957994488-500\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned. E:\Music\backupofduron1000\Documents and Settings\Peggy.ROBERTS\Desktop\Downloads\Monopoly3-dm.exe -> Adware.Trymedia : Cleaned. E:\Music\backupofduron1000\Documents and Settings\Peggy.ROBERTS\Desktop\Downloads\RollerCoasterTycoon2-dm.exe -> Adware.Trymedia : Cleaned. C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore : Cleaned. C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : Cleaned. C:\Program Files\whInstall -> Adware.Webhancer : Cleaned. C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned. C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned. C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned. C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned. C:\Program Files\whInstall\whSurvey.exe -> Adware.Webhancer : Cleaned. C:\WINNT\system32\__delete_on_reboot__w_3_2_s_v_c_._e_x_e_ -> Backdoor.Rbot : Cleaned. [924] C:\WINNT\system32\w32svc.exe -> Backdoor.SdBot.aad : Error during cleaning. C:\WINNT\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : Cleaned. [1852] C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning. [1864] C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\__delete_on_reboot__r_b_t_h_t_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned. C:\WINNT\system32\__delete_on_reboot__f_a_h_g_e_e_s_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned. C:\WINNT\system32\__delete_on_reboot__p_d_y_k_n_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned. [3884] C:\WINNT\system32\fahgees.dll -> Downloader.Qoologic.bj : Error during cleaning. C:\WINNT\Duce6.exe -> Downloader.Small : Cleaned. [652] C:\WINNT\Duce6.exe -> Downloader.Small : Error during cleaning. C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\05QZO1E7\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VKIH97YY\xp-cydoor-728[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@tcompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Default User\Cookies\system@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\SYSTEM32\Cookies\system32@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Steve\Cookies\steve@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Default User\Cookies\system@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned. C:\Documents and Settings\Default User\Cookies\system@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Default User\Cookies\system@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\Default User\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@epilot[2].txt -> TrackingCookie.Epilot : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ehg-sportingbet.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@server.lon.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned. C:\Documents and Settings\Default User\Cookies\system@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@revenue[1].txt -> TrackingCookie.Revenue : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned. C:\Documents and Settings\Default User\Cookies\system@ads.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned. C:\Documents and Settings\Default User\Cookies\system@banners.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned. C:\Documents and Settings\Default User\Cookies\system@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned. C:\Documents and Settings\Default User\Cookies\system@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[2].txt -> TrackingCookie.Starware : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[1].txt -> TrackingCookie.Starware : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned. C:\Documents and Settings\Default User\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned. C:\WINNT\system32\ewxcksr.exe -> Trojan.Runner.j : Cleaned. C:\WINNT\system32\ha3f.exe -> Trojan.Runner.j : Cleaned. C:\WINNT\system32ha3f.exe -> Trojan.Runner.j : Cleaned. C:\WINNT\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned. ::Report end

#4 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 26 September 2006 - 07:01 PM

Logfile of HijackThis v1.99.1 Scan saved at 7:49:36 PM, on 9/26/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmprint.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\ms059392315460.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE E:\Pictures\HijackThis.exe R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series/DADS2800/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P49 "EPSON Stylus Photo R300 Series/DADS2800/Session 1" /O5 "TS001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P60 "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1" /O5 "TS003" /M "Stylus Photo R300" O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe O4 - HKLM\..\Run: [yklxnt] C:\WINNT\system32\yshgnv.exe reg_run O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe O4 - HKLM\..\Run: [newname] c:\\nwnmff_14.exe O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\yshgnv.exe reg_run O4 - HKLM\..\Run: [ms059392315460] C:\WINNT\ms059392315460.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll O23 - Service: Apache - Unknown owner - E:\RECYCLER\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Security Updates Manager (secupdates) - Unknown owner - C:\WINNT\system32\w32svc.exe (file missing)

#5 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 27 September 2006 - 04:41 PM

Hi,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply as well as a new HijackThis log.0

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Danny
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

#6 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 27 September 2006 - 08:20 PM

Administrator - Wed 09/27/2006 17:52:49.36 Service Pack 4 ComboFix 06.09.27 - Running from: "C:\Documents and Settings\Administrator\Desktop" ((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))) * * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * * O4 - HKLM\...\Run C:\WINNT\system32\yshgnv.exe O4 - HKLM\...\Run C:\WINNT\system32\yshgnv.exe * * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * * 06-09-24 05:23 127488 yshgnv.exe.qoo 06-08-28 20:49 53 vlpoce.dat.qoo DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9UFFYVES\drsmartload849a[3].exe C:\WINNT\system32\tsuninst.exe C:\WINNT\uninstall_nmon.vbs C:\Documents and Settings\Default User\Application Data\NetMon C:\Program Files\batty2 C:\Program Files\cmfibula C:\Program Files\Deskbar C:\Program Files\PSLister C:\Program Files\Common Files\{5C278563-035F-1033-0226-010928190001} ((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 )))))))))))))))))))))))))))))))))) 2006-09-23 14:25 163,840 --a------ C:\WINNT\ms059392315460.exe 2006-08-28 20:37 25 --a------ C:\WINNT\ms0639231546092006.exe 2006-08-27 03:56 1,233 --a------ C:\WINNT\system32\nvy9a8f4.sys 2006-08-27 03:55 602 --a------ C:\WINNT\xoone.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-27 17:54 -------- d-a------ C:\Program Files\Common Files 2006-09-25 15:20 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0 2006-09-24 05:19 -------- d-------- C:\Program Files\Cmak 2006-08-27 15:25 -------- d-------- C:\Program Files\SEARCHESSISTANT Toolbar 2006-08-27 15:17 -------- d-------- C:\Program Files\Microsoft Script Debugger 2006-08-27 04:01 -------- d-------- C:\Program Files\Outlook Express 2006-08-27 04:01 -------- d-------- C:\Program Files\Common Files\System 2006-08-27 04:01 -------- d-------- C:\Program Files\Common Files\Services 2006-07-31 11:07 -------- d-------- C:\Program Files\Lavasoft 2006-07-31 11:07 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus Photo R300 Series/DADS2800/Session 1"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P49 \"EPSON Stylus Photo R300 Series/DADS2800/Session 1\" /O5 \"TS001\" /M \"Stylus Photo R300\"" "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P60 \"__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1\" /O5 \"TS003\" /M \"Stylus Photo R300\"" "nvy9a8f4"="RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe" "ms059392315460"="C:\\WINNT\\ms059392315460.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00002002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "oiro"="C:\\PROGRA~1\\COMMON~1\\oiro\\oirom.exe" "uhsyo"="C:\\WINNT\\system32\\yshgnv.exe reg_run" "PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\"" "CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\"" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 "CDRAutoRun"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "disablecad"=dword:00000000 "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "ShowSuperHidden"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] "{5C278563-035F-1033-0226-010928190001}"="\"C:\\Program Files\\Common Files\\{5C278563-035F-1033-0226-010928190001}\\Update.exe\" mc-110-12-0000907" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20060828-221015-731 O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_14.exe Completion time: Wed 2006-09-27 18:06:45.98 ComboFix.txt

#7 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 27 September 2006 - 08:21 PM

Logfile of HijackThis v1.99.1 Scan saved at 9:06:06 PM, on 9/27/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmprint.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\ms059392315460.exe C:\WINNT\Duce6.exe E:\Pictures\HijackThis.exe R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series/DADS2800/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P49 "EPSON Stylus Photo R300 Series/DADS2800/Session 1" /O5 "TS001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P60 "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1" /O5 "TS003" /M "Stylus Photo R300" O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe O4 - HKLM\..\Run: [ms059392315460] C:\WINNT\ms059392315460.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file) O23 - Service: Apache - Unknown owner - E:\RECYCLER\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Security Updates Manager (secupdates) - Unknown owner - C:\WINNT\system32\w32svc.exe (file missing)

#8 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 28 September 2006 - 08:23 PM

Hi,

Please find HijackThis.exe and RENAME it to HJT.exe.

Post a new log with HJT.exe.

Danny
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

#9 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 30 September 2006 - 11:02 AM

Logfile of HijackThis v1.99.1 Scan saved at 11:48:54 AM, on 9/30/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmprint.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\Duce6.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\taskmgr.exe C:\Documents and Settings\Administrator\Desktop\Hijackthis\HJT.exe R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series/DADS2800/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P49 "EPSON Stylus Photo R300 Series/DADS2800/Session 1" /O5 "TS001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P60 "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1" /O5 "TS003" /M "Stylus Photo R300" O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe O4 - HKLM\..\Run: [ms059392315460] C:\WINNT\ms059392315460.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file) O23 - Service: Apache - Unknown owner - E:\RECYCLER\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Security Updates Manager (secupdates) - Unknown owner - C:\WINNT\system32\w32svc.exe (file missing)

#10 lazyvista

lazyvista

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 October 2006 - 06:27 AM

After reviewing several other responses for HiJackThis logs, I ran combofix again. Here is a new hijackthislog. Logfile of HijackThis v1.99.1 Scan saved at 7:13:18 AM, on 10/3/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmprint.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Documents and Settings\Administrator\Desktop\Hijackthis\HJT.exe R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series/DADS2800/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P49 "EPSON Stylus Photo R300 Series/DADS2800/Session 1" /O5 "TS001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P60 "__dads2800_EPSON Stylus Photo R300 Series/OM2014L1/Session 1" /O5 "TS003" /M "Stylus Photo R300" O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe O4 - HKLM\..\Run: [sys024609392315] C:\WINNT\sys024609392315.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{029F10C6-FC13-403E-AFC5-08C73647BF8C}: NameServer = 192.168.1.1 O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file) O23 - Service: Apache - Unknown owner - E:\RECYCLER\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Security Updates Manager (secupdates) - Unknown owner - C:\WINNT\system32\w32svc.exe (file missing)

#11 Danny_

Danny_

    Emeritus-The Malware Remover

  • Authentic Member
  • PipPipPipPipPip
  • 1,323 posts

Posted 03 October 2006 - 07:04 PM

Hi,

Please reboot your computer in Safe Mode by doing the following:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml



Open HijackThis, click the 'Scan' button, and check the following items:

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [nvy9a8f4] RUNDLL32.EXE w5b203fe.dll,n 0039a8f1000000035b203fe
O4 - HKLM\..\Run: [sys024609392315] C:\WINNT\sys024609392315.exe
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)


Close all windows except HijackThis, and click the 'Fix Checked' button. Close HijackThis.

Locate and delete the following file:

C:\WINNT\sys024609392315.exe

Click "Start --> Search". Search and Delete for the following file (Make Sure "Search For Hidden Files" is enabled!):

w5b203fe.dll

Reboot, and when in normal mode, please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, as well as a new HijackThis log.
Danny :)
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Posted Image

Posted Image
Proud member of ASAP since 2005

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·