hijack log please help - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware > HijackThis Logs (finished)
Click Here to Login
 
 
Thread Tools Display Modes
 
Old 03-16-2005, 02:53 PM   #1 (permalink)
Newb Techie
 
Join Date: Mar 2005
Posts: 33
Default hijack log please help

Logfile of HijackThis v1.99.1
Scan saved at 3:51:49 PM, on 3/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\iebu.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wwkyqk.exe
C:\WINDOWS\atlqf.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system\dekwqxlx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\Xhrmy.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN1.EXE
C:\PROGRA~1\EZULA\mmod.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
c:\windows\system32\ttiftxxn.exe
c:\windows\system32\packager.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {7299CF30-F233-3F46-2E8C-DD294195AEBE} - C:\WINDOWS\system32\wincu32.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [atlqf.exe] C:\WINDOWS\atlqf.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [ttiftxxn] c:\windows\system32\ttiftxxn.exe
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteoke32.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://cgi5.ebay.com/ws2/applet
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xgvhgsuq.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100077838612
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: Workstation NetLogon Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\ietx32.exe (file missing)
__________________

__________________
Findn_Nemo is offline  
Old 03-16-2005, 04:08 PM   #2 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

Hello and welcome to Tech forums

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

-

When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.

===============

First, we'll need to download these program(s) to help us deal with the "About:Blank" infection:

-

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Exit the program.


-

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Exit the program.


===============

Reboot your computer into "Safe Mode"

===============

Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click "Fix ->"

===============

Next, locate About:Buster that you downloaded earlier and run it, then:

1. Click "Start".

(Wait for the initial ADS scan to complete.)

2. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

3. Click "Ok", to scan once more.
4. Click "Yes", to shutdown any IE sessions currently open.
5. Click "Yes", to begin the second pass.

6. Click "Save log", and post this log back along with your new log.
7. Click "Exit".
8. Click "Exit".

===============

Reboot your computer normally.

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

PIB.exe*
iebu.exe*
wwkyqk.exe*
dekwqxlx.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Desktop Search
EZula Toptext
Internet Optimizer
TSA
Web Offer
WinTools

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

WebSeach Toolbar support NT service (TBPSSvc) owner ... (C:\PROGRA~1\Toolbar\TBPSSvc.exe)
WinTools for IE service (WinToolsSvc) owner ... (C:\Program Files\Common Files\WinTools\WToolsS.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\system32\iebu.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\wwkyqk.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\system\dekwqxlx.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\PROGRA~1\EZULA\mmod.exe
c:\windows\system32\ttiftxxn.exe
C:\WINDOWS\System32\wintask.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u wincu32.dll
regsvr32 /u toolbar.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sewam.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll

O2 - BHO: (no name) - {7299CF30-F233-3F46-2E8C-DD294195AEBE} - C:\WINDOWS\system32\wincu32.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [ttiftxxn] c:\windows\system32\ttiftxxn.exe
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteoke32.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xgvhgsuq.exe
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\PROGRA~1\Toolbar
C:\Program Files\Common Files\WinTools
C:\WINDOWS\isrvs
C:\Program Files\Internet Optimizer
C:\PROGRA~1\EZULA
C:\Program Files\SurfSideKick 2
C:\PROGRA~1\COMMON~1\WinTools
C:\PROGRA~1\COMMON~1\tsa
C:\PROGRA~1\Web Offer

files...

C:\WINDOWS\system32\iebu.exe
C:\WINDOWS\System32\wwkyqk.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\system\dekwqxlx.exe
c:\windows\system32\ttiftxxn.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\sewam.dll
C:\WINDOWS\system32\wincu32.dll
c:\windows\system32\eliteoke32.exe
C:\WINDOWS\System32\msmc.exe
C:\Program Files\Internet Explorer\xgvhgsuq.exe

Search for...

AUNPS2.DLL

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "]Safe Mode".

===============

Post back a new log, and let me know how everything goes.
__________________

__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Old 03-16-2005, 10:21 PM   #3 (permalink)
Newb Techie
 
Join Date: Mar 2005
Posts: 33
Default

thanks you a life saver ^-^
__________________
Findn_Nemo is offline  
Old 03-18-2005, 04:04 PM   #4 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

Can you post another log please
__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Old 05-20-2005, 05:39 AM   #5 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Remove entries at your own risk


C:\PROGRA~1\Toolbar\TBPSSvc.exe This is a unknown process.

C:\Program Files\Common Files\WinTools\WToolsS.exe running process. (WToolsS.exe) This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRA~1\Toolbar\TBPS.exe
Nasty running process. (TBPS.exe)
WebSearch toolbar, HuntBar parasite variant This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRA~1\Toolbar\PIB.exe This is a nasty process! You should fix it and try to delete it manually!

C:\Program Files\Common Files\WinTools\WToolsA.exe
Nasty running process. (WToolsA.exe)
This is a nasty process! You should fix it and try to delete it manually!

C:\Program Files\Common Files\WinTools\WSup.exe This is a nasty process! You should fix it and try to delete it manually!

C:\WINDOWS\System32\wwkyqk.exe
Unknown running process. (wwkyqk.exe) This is a unknown process.

C:\WINDOWS\atlqf.exe This is a unknown process.

C:\WINDOWS\System32\winupdt.exe running process. (winupdt.exe)
Malware Prozess This is a nasty process! You should fix it and try to delete it manually!


C:\Program Files\Internet Optimizer\optimize.exe
Nasty running process. (optimize.exe)
Internet Optimizer Malware This is a nasty process! You should fix it and try to delete it manually!

C:\WINDOWS\Xhrmy.exe This is a nasty process! You should fix it and try to delete it manually!


C:\PROGRA~1\EZULA\mmod.exe
Nasty running process. (mmod.exe)
Ezula - regarded as spyware/theftware and bundled with the popular iMesh and KaZaA file-sharing programs. Read here for more information This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRA~1\WEBOFF~1\wo.exe This is a nasty process! You should fix it and try to delete it manually!

c:\windows\system32\ttiftxxn.exe
Unknown running process. (ttiftxxn.exe)
This is a unknown process.

c:\windows\system32\packager.exe This is a unknown process.

C:\WINDOWS\System32\wintask.exe running process. (wintask.exe)
Added as a result of the NAVIDAD VIRUS! This is a nasty process! You should fix it and try to delete it manually!

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
Nasty This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50220
Nasty This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111 This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sewam.dll/sp.html#11111
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sewam.dll/sp.html#11111
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sewam.dll/sp.html#11111
Nasty This entry should be fixed by HijackThis!

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll Should be fixed.

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
Nasty Entries found in this registry zone are potentially nasty. This application ([87766247-311C-43B4-8499-3D5FEC94A183] - Result: 87766247-311C-43B4-8499-3D5FEC94A183) has been checked. Hit rate: 99 % Must be fixed!

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
Nasty Entries found in this registry zone are potentially nasty. This application ([8952A998-1E7E-4716-B23D-3DBE03910972] - Result: 8952A998-1E7E-4716-B23D-3DBE03910972) has been checked. Hit rate: 99 % Must be fixed!

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
Nasty Entries found in this registry zone are potentially nasty. This application ([339BB23F-A864-48C0-A59F-29EA915965EC] - Result: 339BB23F-A864-48C0-A59F-29EA915965EC) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 % Must be fixed!

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
Nasty Trojan-Downloader.Win32.Ieser.a
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50220
Nasty This entry should be fixed by HijackThis!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
Nasty This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= This entry should be fixed by HijackThis!

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
Nasty WinTools adware
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
Nasty WebSearch toolbar, HuntBar parasite variant
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [atlqf.exe] C:\WINDOWS\atlqf.exe
Possibly nasty
Hit rate: 6 % (result) It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
Nasty Win32.Downloader.px
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
Unknown
Hit rate: 9 % (result) Unknown application.
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
Nasty Internet connection optimizer. Malware.
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
Nasty SurfSideKick adware
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
Unknown
Hit rate: 11 % (result) Unknown application.
O4 - HKLM\..\Run: [ttiftxxn] c:\windows\system32\ttiftxxn.exe
Unknown
Hit rate: 7 % (result) Unknown application.
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteoke32.exe
Unknown
Hit rate: 9 % (result) Unknown application.
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
Possibly nasty
Hit rate: 8 % (result) It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
Nasty Added by an unknown WORM or TROJAN!
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
Nasty WinTools adware
Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
Nasty WebSearch toolbar, HuntBar parasite variant
Hit rate: 99 % (result) Must be fixed!
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
Nasty SurfSideKick adware
Hit rate: 99 % (result) Must be fixed!
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
Unknown
Hit rate: 9 % (result) Unknown application.
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
Nasty Ezula Web Offer foistware
Hit rate: 99 % (result) Must be fixed!
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm


O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xgvhgsuq.exe
Nasty This entry is possibly nasty. Should be fixed.

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe


O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (WToolsS.exe) seems to be nasty.

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe Unknown service. (TBPSSvc.exe)

O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
Possibly nasty Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
__________________
Osiris is offline  
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 02:13 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.