Please check my Hijackthis logfile

Status
Not open for further replies.
S

stardanz1

Baseband Member
Messages
27
Hi,

I know there is something lurking in my computer but I cant't quite figure it
out. I'll be working on my computer and suddenly I'll get the blue screen of
death and the whole thing will lock up. I check my log file regularly and
I'm kind of familiar with some of the entries. The 04...winproc.exe and the
klanp.exe looked suspicious so I deleted them (using HijackThis and deleting
in safe mode), but they have come back several times. Here are some questions I have:

1. How to permanently delete the above mentioned .exe files/

2. When shutting down, I sometimes get a pop up message that says a "file
could not initiate". The file names were pndcedit.exe and Qbijava.exe, both
were in C:\windows\system32 folder. What are these? Do I need them?

3. I was also recently shut down by a countdown message that said the
following file had a problem. The file was C:\windows\system32\Isass.exe
What is this? Do I need it?

4. I recently noticed two new file in the C:\windows folder they are:
wincupdater.exe and Windows_Update32.exe. What are these? I moved them to
a folder on the desktop and wondering if I should delete them?

5. What is the entry below O20 - Winlogon Notify: style2...
Do I need this?

6. Lastly, about 4 moths ago, I was changing the security setting for
Active-X controls on Internet Explorer. And now, when I launce Norton
Anti-virus, I get a message that says something like:
"The current Active-X control settings will not allow some items on this
page to display properly". I moved the security settings to minimum, but
it didn't help. Norton doesn't work right so I have just un-installed it.
What can I do?

I have run Ad-Aware, Spybot S & D, Ewido.
Any advice on the above would be greatly appreciated, thanks for you help.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:09 PM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime 6.5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [FullAudio] "C:\PROGRA~1\MusicNow\WMPImporter.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104470830\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [REGMSYS] C:\klanp.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3806937_disk.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
 
Hi and Welcome to TSF

The files your dealing with are trojans so unless you get them all at the same time...they keep reinstalling each other.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(s) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install Cleanup but DO NOT run it yet!

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [REGMSYS] C:\klanp.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3806937_disk.dll (file missing)

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletionÂ…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\q3806937_disk.dll
C:\windows\system32\Isass.exe
C:\windows\wincupdater.exe
C:\windows\Windows_Update32.exe
C:\klanp.exe
C:\windows\system32\Qbijava.exe
C:\windows\system32\pndcedit.exe
C:\???winproc.exe <--locate this files directory and put the path to it in the box.

*Note* Isass.exe <---make sure that file has an I in it..and not an L as thats a LEGIT windows file.

Once you reboot....

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Then reboot back into safe mode......

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Run Cleanup again..using the same instructions as before.

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with the Ewido scan and a new hijackthis log.
 
I've ran all the scans, several times, and the same adware/viruses continue to return. Below are the log files you requested

The following 5 entries from HJT log file keep coming back
O4 - HKLM\..\Run: [Microsoft Windows Update2] wuamwin.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe (THE .EXE FILE KEEPS CHANGING ITS NAME, Also the last line of Active Scan says its disinfected?)
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O20 - Winlogon Notify: style32 - C:\WINDOWS\q25634421_disk.dll

Logfile of HijackThis v1.99.1
Scan saved at 1:29:16 AM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\AOL\1104470830\ee\AOLHostManager.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\AOL\1104470830\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1104470830\ee\AOLServiceHost.exe
c:\program files\common files\aol\1104470830\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
C:\Program Files\Microsoft Office XP\Office10\msoffice.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime 6.5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [FullAudio] "C:\PROGRA~1\MusicNow\WMPImporter.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104470830\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows Update2] wuamwin.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O20 - Winlogon Notify: style32 - C:\WINDOWS\q25634421_disk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:03:47 PM, 10/11/2005
+ Report-Checksum: B82D659C

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-746137067-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-746137067-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-746137067-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-746137067-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-746137067-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Mark1\Application Data\Mozilla\Users50\default\1gm8ormo.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87APUTWF\bridge-c46[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87APUTWF\prompt[1].php -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBO1MFOB\activated[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBO1MFOB\activated[2].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UBGV6BEP\ysb_prompt[1].php -> TrojanDownloader.IstBar.j : Cleaned with backup


::Report End


Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mark1\Desktop\VIRUS\ps_uninstaller.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/WUpd No disinfected C:\Program Files\HijackThis\backups\backup-20040928-233145-583.inf
Adware:Adware/CWS No disinfected C:\RECYCLER\S-1-5-21-746137067-1844823847-725345543-1003\Dc1.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\adsldpbc.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\dpusys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:Adware/CWS No disinfected C:\WINDOWS\q25634421_disk.dll
Adware:adware/keenvalue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext32.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstallQL.exe
Virus:W32/Gaobot.JSZ.worm Disinfected C:\WINDOWS\system32\sdktemp.exe
Virus:Trj/Crypt.N Disinfected C:\WINDOWS\system32\spoolvs.exe
Virus:W32/Gaobot.HTE.worm Disinfected C:\WINDOWS\system32\TFTP4532
Virus:W32/Gaobot.JID.worm Disinfected C:\WINDOWS\system32\TFTP5060
Virus:W32/Gaobot.JID.worm Disinfected C:\WINDOWS\system32\wuamwin.exe
 
Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Run Cleanup again...and reboot/logoff when prompted. Then reboot into safe mode.

Run hijackthis and fix the following entrys...

O4 - HKLM\..\Run: [Microsoft Windows Update2] wuamwin.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O20 - Winlogon Notify: style32 - C:\WINDOWS\q25634421_disk.dll

Delete these folders....

C:\WINDOWS\system32\TFTP4532 <--folder

C:\WINDOWS\system32\TFTP5060 <-- folder

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletionÂ…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\Documents and Settings\Mark1\Desktop\VIRUS\ps_uninstaller.exe
C:\keys.ini
C:\WINDOWS\adsldpbc.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
C:\WINDOWS\dpusys.ini
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\q25634421_disk.dll
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\WINDOWS\system32\oleext32.dll
C:\WINDOWS\system32\PreUninstallQL.exe
C:\WINDOWS\system32\sdktemp.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\wuamwin.exe

Once you reboot..proceed with the next steps. Skip downloading the tools you already have...but run them were indicated in the fix.


Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract itÂ’s files into it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
[url]http://www.ewido.net/en/download/[/url]

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
.
 
Hi,

There is one little sucker that won't go away. It is:
O20 - Winlogon Notify: style32 - C:\WINDOWS\q25634421_disk.dll

I ran a Purity Scan, then AdAware SE, Spybot S&D, CWShredder, Tried Killbox and Cmd line to stop the process, Cleanup, Ran Ewido and Panda ActiveScan. It won't die.

Then when I go online, I get the two 17's
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145

Here are the logs:


smitRem log file
version 2.6

by noahdfear

The current date is: Thu 10/13/2005
The current time is: 8:19:05.07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:33:55 AM, 10/13/2005
+ Report-Checksum: 9D71CB13

+ Scan result:

No infected objects found.


::Report End

Panda ActiveScan

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mark1\Desktop\ps_uninstaller.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/WUpd No disinfected C:\Program Files\HijackThis\backups\backup-20040928-233145-583.inf
Adware:Adware/CWS No disinfected C:\Program Files\HijackThis\backups\backup-20051013-072104-523.dll
Adware:Adware/Miamore No disinfected C:\WINDOWS\adsldpbc.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\dpusys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:Adware/CWS No disinfected C:\WINDOWS\q25634421_disk.dll
Adware:Adware/CWS No disinfected C:\WINDOWS\q3661968_disk.dll
Adware:adware/keenvalue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext32.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstallQL.exe
Virus:W32/Gaobot.ITN.worm Disinfected C:\WINDOWS\system32\TFTP3904


CONTINUED IN NEXT POST
 
Logfile of HijackThis v1.99.1
Scan saved at 12:16:34 PM, on 10/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

CONTINUED
 
What's going on? I can only post a few hundred characters at a time. What I mess of a time I'm having!!!!

Alright, I tried posting the HJT log FIVE times and it just won't go. Even a small post. Can you can to this url to see the log. Sorry, but I've gotta run and I want you to get the log.

http://www.goldenstatechallenge.net/HJTlogfile.html
 
Did you run CWShredder?? You have a CoolWebSearch hijacker going on. Let's try this....

1. Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
2. Save it on your desktop.
3. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
4. Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automaticly and after the reboot the infection should be killed.

Reboot & post a fresh HJT log and we will address whats left.
 
Well, I don't know what to think anymore. Just when I think I've got the bug fixed, it
keeps coming back. Here's what I did

1. Ran win32delfkil.exe
2. smitRem
3. CWshredder
4. AdAware SE
5. spybot S&D
6. cleanUp
7. L2mfix
8. Ewido
9. Panda Activescan
10. HijackThis

By the time I finish Ewido everything looks okay to me (Of course I'm not the expert
but I'm getting used to looking at some of the logs). I ran HJT after Ewido and all
the problems appear gone. Then the problem starts when I go online for the
Panda ActiveScan. I run another HJT scan and I get the guys back:
O4 - HKLM\..\Run: [Provan Security] psecure.exe
O4 - HKLM\..\RunServices: [Provan Security] psecure.exe
(psecure.exe keeps changing its name, like schedsvc32.exe & winproc.exe)
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E0020B-A0EF-4F99-9489-D66F8202DD00}: NameServer = 205.188.146.145
O20 - Winlogon Notify: style32 - C:\WINDOWS\q3679156_disk.dll (file missing)

Just now I ran the HJT offline and there were no 017 entries, not that I'm online, the 017 entries magically
appear along with the 020 (The file is missing because I put it in the Recycle Bin)

HELPPPP!!

Anyway, Here are the logs


smitRem log file
version 2.6

by noahdfear

The current date is: Fri 10/14/2005
The current time is: 12:31:02.90

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
 
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:29:40 PM, 10/14/2005
+ Report-Checksum: 6CC18309

+ Scan result:

No infected objects found.


::Report End

Panda ActiveScan

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mark1\Desktop\ps_uninstaller.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/WUpd No disinfected C:\Program Files\HijackThis\backups\backup-20040928-233145-583.inf
Adware:Adware/CWS No disinfected C:\Program Files\HijackThis\backups\backup-20051013-072104-523.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\dpusys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/keenvalue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext32.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstallQL.exe
Virus:W32/Gaobot.IPS.worm Disinfected C:\WINDOWS\system32\TFTP2004

Logfile of HijackThis v1.99.1
Scan saved at 1:25:17 AM, on 10/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\rundll32.exe
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
R
Please Help
Replies
3
Views
3K
carnageX
carnageX
Back
Top Bottom