am i infected?

Status
Not open for further replies.
S

shayahakohen

Baseband Member
Messages
35
Location
MD
Logfile of HijackThis v1.99.1
Scan saved at 1:29:05 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpB6AD.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run616.exe dummy
O4 - HKLM\..\Run: [d3hh.exe] C:\WINDOWS\d3hh.exe
O4 - HKLM\..\Run: [12B.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [12B.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135021348\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euf.local
O17 - HKLM\Software\..\Telephony: DomainName = euf.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED05C39E-EFB4-4EB0-B283-F84C2B1DD2E6}: NameServer = 192.168.12.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euf.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipqu.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 
Move HIjackthis into a folder by itself on the C Drive.

It looks like you may have serveral viruses or trojans.

Download these following programs.
Ewido Security Suit
Spybot Search And Destroy
Adware SE Personnel

Update all definitions and Run them. Quarantine/Delete Items they Find.


Download and Install these Anti Virus Programs. If you already have an Anti Virus, Disable it while you install and run these programs.
AVG Anti Virus
Stinger (Stand Alone Virus Scanner)

After you install them, run stinger first. Then update and Run AVG.

After all tasks are preformed, rerun hijackthis, and post a fresh log. Wait for Microbell to analyze it.
 
i just removed spyaxe using smitrem, i think i am fine concerning that. it doesnt seem there is anything else that is that serious.
 
shayahakohen said:
i just removed spyaxe using smitrem, i think i am fine concerning that. it doesnt seem there is anything else that is that serious.
Click to expand...

That would be an incorrect assumption. You have a CoolWebSearch hijacker, Alcan B worm, and several trojans running in your last log.

Post another log so we can see whats left.
 
Logfile of HijackThis v1.99.1
Scan saved at 3:03:09 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\Common Files\AOL\1135021348\ee\AOLSoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mmaybloom\Desktop\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run616.exe dummy
O4 - HKLM\..\Run: [d3hh.exe] C:\WINDOWS\d3hh.exe
O4 - HKLM\..\Run: [12B.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [12B.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135021348\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euf.local
O17 - HKLM\Software\..\Telephony: DomainName = euf.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED05C39E-EFB4-4EB0-B283-F84C2B1DD2E6}: NameServer = 192.168.12.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euf.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipqu.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 
I ran CWS Shredder and did fix, while is was going it gave me a blue screen. i had gotten that before is there another way of removing cws, other than using trendmicro? I did scan only and found cws.homesearch.
 
Hi and Welcome to TF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(s) checked if the site has that option.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download and install Cleanup but DO NOT run it yet!

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
BFUonlinescript.jpg


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Once that script has run...continue with the instructions below.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run616.exe dummy
O4 - HKLM\..\Run: [d3hh.exe] C:\WINDOWS\d3hh.exe
O4 - HKLM\..\Run: [12B.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [12B.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipqu.exe (file missing)

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for themÂ…make sure you have search hidden files, folders, sub directoryÂ’s ect enabled if it applyÂ’s to your OS)

C:\Program Files\p2pnetworks\mpp2pl.exe
C:\WINDOWS\system32\run616.exe
C:\WINDOWS\d3hh.exe
C:\WINDOWS\ipqu.exe


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Reboot back to normal mode....

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
    [*] Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
    [*] Click on see report. Then click Save report

Please post that log in your next reply along with the Ewido log and a new hijackthis log.
 
Here are all the scans, i saved after following all your instructions.



PANDA SCAN
___________
___________
___________
Incident Status Location

Adware:adware/antivirus-gold Not disinfected Windows Registry
Virus:W32/Bagle.AB.worm Not disinfected Archive Folders\Deleted Items\Re: Thanks :)\Readme.vbs
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\zupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\siupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Is delivered mail\Jol03.cpl
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\wsd01.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\wsd01.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\You are made active\viupd02.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Registration is accepted\viupd02.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\guupd02.scr
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Registration is accepted\viupd02.cpl
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Is delivered mail\siupd02.exe
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\viupd02.exe
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\You are made active\guupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\You are made active\viupd02.cpl
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your software\application.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Re: Message\message_details.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your bill\your_bill.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Excel file\document_excel.pif
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Alert! New Sober Worm!\patch_help-text.zip[doc_data-text.txt .pif]
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your website\your_website.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Hi\your_file.pif
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\header_text.zip[doc_data-text.txt .pif]
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Your new Password\text.zip[doc_data-text.txt .pif]
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\indictment_cit9458.zip[doc_data-text.txt .pif]
Virus:W32/Netsky.P.worm Not disinfected Personal Folders\Deleted Items\Re: Delivery Protection\details_mmaybloom.zip[data.rtf .scr]
Virus:W32/Mytob.CX.worm Not disinfected Personal Folders\Deleted Items\bahwy\isa.zip[isa.doc .scr]
Virus:W32/Mytob.CX.worm Not disinfected Personal Folders\Deleted Items\Email Account Suspension\IMPORTANT.pif
Virus:W32/Sober.Y.worm Not disinfected Personal Folders\Deleted Items\Your new Password\pword_change.zip[PW_Klass.Pic.packed-bitmap.exe]
Virus:W32/Sober.AA.worm Not disinfected Personal Folders\Deleted Items\your email\excel_table.zip[Exceltab-packed_List.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GK Not disinfected Personal Folders\Deleted Items\Undelivered Mail Returned to Sender\Nycholas\John.zip[DSC00017.exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Inbox\Demo Downloads\Your new account password is approved\email-password.zip[email-password.txt .exe]
Virus:W32/Mytob.EZ.worm Not disinfected Personal Folders\Inbox\Demo Downloads\[Norton AntiSpam] *DETECTED* Online User Violation\document.zip[document.htm .pif]
Virus:W32/Bagle.BE.worm Not disinfected Personal Folders\Inbox\Mail Errors\Undelivered Mail Returned to Sender\Re: Thank you!\Joke.com
Virus:W32/Netsky.P.worm Not disinfected Personal Folders\Inbox\Mail Errors\Mail Delivery (failure demo@simpleremote.com)\message.scr
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Inbox\Mail Errors\Undelivered Mail Returned to Sender\Re: Word file\document_word.pif
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: *DETECTED* Online User Violation\important-details.zip[important-details.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: Your password has been successfully updated\password.zip[password.txt .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: Your Account is Suspended For Security Reasons\important-details.zip[important-details.txt .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\*DETECTED* Online User Violation\important-details.zip[important-details.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Xrxzmvbtlphhbck\important-details.zip[important-details.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\*DETECTED* Online User Violation\important-details.zip[important-details.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your Account is Suspended For Security Reasons\account-report.zip[account-report.txt .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\important-details.zip[important-details.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\You have successfully updated your password\email-password.zip[email-password.doc .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\lobfyxm.zip[lobfyxm.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\yqvhqvy.zip[yqvhqvy.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your Account is Suspended For Security Reasons\important-details.zip[important-details.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\account-report.zip[account-report.txt .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\alpyawy.zip[alpyawy.htm .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\You have successfully updated your password\updated-password.zip[updated-password.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Important Notification\account-report.zip[account-report.txt .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\exrcuqy.zip[exrcuqy.htm .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Members Support\account-report.zip[account-report.txt .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\approved-password.zip[approved-password.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Members Support\important-details.zip[important-details.txt .scr]
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\per.exe
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\upd284.exe
Virus:W32/Bagle.AB.worm Not disinfected Archive Folders\Deleted Items\Re: Thanks :)\Readme.vbs
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\zupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\siupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Is delivered mail\Jol03.cpl
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\wsd01.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\wsd01.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\You are made active\viupd02.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Registration is accepted\viupd02.com
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery service mail\guupd02.scr
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\Registration is accepted\viupd02.cpl
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Is delivered mail\siupd02.exe
Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Delivery by mail\viupd02.exe
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\You are made active\guupd02.cpl
Virus:W32/Bagle.BK.worm Not disinfected Archive Folders\Deleted Items\You are made active\viupd02.cpl
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your software\application.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Re: Message\message_details.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your bill\your_bill.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Excel file\document_excel.pif
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Alert! New Sober Worm!\patch_help-text.zip[doc_data-text.txt .pif]
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Your website\your_website.pif
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Deleted Items\Re: Hi\your_file.pif
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\header_text.zip[doc_data-text.txt .pif]
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\Your new Password\text.zip[doc_data-text.txt .pif]
Virus:W32/Sober.M.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\indictment_cit9458.zip[doc_data-text.txt .pif]
Virus:W32/Netsky.P.worm Not disinfected Personal Folders\Deleted Items\Re: Delivery Protection\details_mmaybloom.zip[data.rtf .scr]
Virus:W32/Mytob.CX.worm Not disinfected Personal Folders\Deleted Items\bahwy\isa.zip[isa.doc .scr]
Virus:W32/Mytob.CX.worm Not disinfected Personal Folders\Deleted Items\Email Account Suspension\IMPORTANT.pif
Virus:W32/Sober.Y.worm Not disinfected Personal Folders\Deleted Items\Your new Password\pword_change.zip[PW_Klass.Pic.packed-bitmap.exe]
Virus:W32/Sober.AA.worm Not disinfected Personal Folders\Deleted Items\your email\excel_table.zip[Exceltab-packed_List.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GK Not disinfected Personal Folders\Deleted Items\Undelivered Mail Returned to Sender\Nycholas\John.zip[DSC00017.exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Inbox\Demo Downloads\Your new account password is approved\email-password.zip[email-password.txt .exe]
Virus:W32/Mytob.EZ.worm Not disinfected Personal Folders\Inbox\Demo Downloads\[Norton AntiSpam] *DETECTED* Online User Violation\document.zip[document.htm .pif]
Virus:W32/Bagle.BE.worm Not disinfected Personal Folders\Inbox\Mail Errors\Undelivered Mail Returned to Sender\Re: Thank you!\Joke.com
Virus:W32/Netsky.P.worm Not disinfected Personal Folders\Inbox\Mail Errors\Mail Delivery (failure demo@simpleremote.com)\message.scr
Virus:W32/Netsky.D.worm Not disinfected Personal Folders\Inbox\Mail Errors\Undelivered Mail Returned to Sender\Re: Word file\document_word.pif
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: *DETECTED* Online User Violation\important-details.zip[important-details.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: Your password has been successfully updated\password.zip[password.txt .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Sent Items\FW: Your Account is Suspended For Security Reasons\important-details.zip[important-details.txt .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\*DETECTED* Online User Violation\important-details.zip[important-details.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Xrxzmvbtlphhbck\important-details.zip[important-details.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\*DETECTED* Online User Violation\important-details.zip[important-details.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your Account is Suspended For Security Reasons\account-report.zip[account-report.txt .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\important-details.zip[important-details.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\You have successfully updated your password\email-password.zip[email-password.doc .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\lobfyxm.zip[lobfyxm.htm .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\yqvhqvy.zip[yqvhqvy.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your Account is Suspended For Security Reasons\important-details.zip[important-details.doc .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\account-report.zip[account-report.txt .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Warning Message: Your services near to be closed.\alpyawy.zip[alpyawy.htm .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\You have successfully updated your password\updated-password.zip[updated-password.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Important Notification\account-report.zip[account-report.txt .pif]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\exrcuqy.zip[exrcuqy.htm .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Members Support\account-report.zip[account-report.txt .scr]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Your password has been successfully updated\approved-password.zip[approved-password.htm .exe]
Virus:W32/Mytob.FK.worm Not disinfected Personal Folders\Junk E-mail\Members Support\important-details.zip[important-details.txt .scr]
_________________
_________________
__________________
__________________
Ewido
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:19:24 PM, 1/3/2006
+ Report-Checksum: D88FB5C7

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4ABF050C-DD0D-52FF-DD7A-B315E8F9B10E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DA6CA48-7D98-BC0B-40EF-22AC6558668A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5FFA6789-7ABE-BCB3-18BC-3EB6BE2C1706} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75877E2E-FCC5-29D8-75DB-DF6BCC96E791} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFFA5234-1603-4600-4D31-8FE60DB658FB} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Program Files\MediaPipe\insdl.dll -> Spyware.MetaDirect : Cleaned with backup
C:\Program Files\MediaPipe\register.dll -> Spyware.MetaDirect : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\247C36F2-69AD-4E7A-9570-AFC9EB\F92BF33B-9B4F-4274-9EA8-59FCA7 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\677670A8-892C-41CB-B21B-D2D8C4\9CEF20EA-56DD-467D-A990-F828DB -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\938F93EA-FE6B-4B01-8421-A16E8F\239FC8A2-3469-42A6-A0B1-A68D42 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9E8AE170-E685-4BF9-A0D5-924674\84367DF6-35B8-443D-B548-7CF89C -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A0750E06-9671-4055-B8D0-2C11F2\317D42BD-0EB1-4D22-9828-DB9AFA -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B1AD5E44-44C6-4482-ABB7-E19503\BF1D9042-3EA0-4E47-9A31-14C60F -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D36C77FD-17EF-4A0D-A9E1-C16926\9DAC1FDA-0640-493E-8A2F-E88167 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E14C91D0-F751-4E46-BD2E-41C83C\BEA64E51-8755-48E6-B316-CE41E0 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FA0C505A-0353-48A6-A224-E96762\0C2E4825-C20C-45F0-B459-7D9285 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Symantec AntiVirus\SAVRT\0645NAV~.TMP -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\KB896688.log:rskhf -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\ldr138.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr157.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr160.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr168.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr197.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr206.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr316.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr319.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr329.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr342.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr371.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr399.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr461.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr492.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr508.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr549.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr56.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr604.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr689.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr736.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr760.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr825.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr856.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr906.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr924.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr983.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr990.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\t.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\WINDOWS\system32\ttttt.exe -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\system32\upd369.exe -> Dropper.Agent.ii : Cleaned with backup
C:\WINDOWS\system32\upd709.exe -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\system32\upd842.exe -> Dropper.Agent.ii : Cleaned with backup
C:\WINDOWS\system32\upd907.exe -> Dropper.Agent.ii : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 2:37:25 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp2ED.tmp (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run616.exe dummy
O4 - HKLM\..\Run: [d3hh.exe] C:\WINDOWS\d3hh.exe
O4 - HKLM\..\Run: [12B.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [12B.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\12B.tmp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135021348\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [40.tmp] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [40.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\40.tmp.exe
O4 - HKLM\..\Run: [3F.tmp.exe] C:\DOCUME~1\MMAYBL~1\LOCALS~1\Temp\3F.tmp.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euf.local
O17 - HKLM\Software\..\Telephony: DomainName = euf.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED05C39E-EFB4-4EB0-B283-F84C2B1DD2E6}: NameServer = 192.168.12.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euf.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
H
HP laptop review, HP 17-by3063st
Replies
1
Views
3K
tehnokraat
T
Back
Top Bottom