|
|
||
11-20-2005, 01:36 AM
|
#12 (permalink) |
|
Platinum Member
 Join Date: Sep 2005
Location: Miami, FL
Age: 21
Posts: 505
|
PANDA
Incident Status Location Adware:adware/exact.bargainbuddyNo disinfected C:\WINDOWS\SYSTEM32\exul1.exe Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe Adware:adware/ncase No disinfected C:\TEMP\FLEOK Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Admin 1.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\cdromknob.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\DOES MAIL.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\find file.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Grey Flag.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\HeartGlobal.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\isodraw.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\lies tick.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\meta extra.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\MIXHOLE.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\mixsite.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Part Mpeg.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Sign Option.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Spambuild.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\TwoTons.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\web body.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Acid rdr play move\Wipe Film.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\bbsfacou.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\ceovraiz.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\ddbmvomc.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\dvpcinfz.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\faklhbbe.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\hhkpspmx.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\hjrsefcm.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\hqgzgbwm.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\lxuoqmme.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\lysjytbm.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\mgnjpseb.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\myujalfh.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\nluqtvyd.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\obcoaqey.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\onflwxoz.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\pgrmziuv.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\pqbgglul.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\rurgzitg.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\setrsbrt.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\tzaesmgb.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\uflotpjj.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\ugghkqhn.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\vdscqlbn.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Application Data\balm16two\wifdfteg.exe Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Jonathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5ad1bcbe-1e2c5e81.zip[InstallerApplet.class] Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\20b6e119.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\20c10de6.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\20dabacd.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\234c3ad8.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\2412c941.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\249141d2.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\29be013a.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\30d17fa4.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\35e817c4.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\35fe1cdb.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\awmjpoun.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\cpmmhlno.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\cvcsrgcl.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\jxojcnzp.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\mljbzqhg.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\Jonathan\Local Settings\Temp\xfatznfk.exe Virus:JS/Psyme.gen Renamed C:\exec_hta.vir Virus:Bck/OptixPro.AB Disinfected C:\RECYCLER\server.exe Virus:Bck/Bifrose.BZ Disinfected C:\server.exe Virus:W32/Oscarbot.BJ.worm Disinfected C:\temp\NITE.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe Adware:Adware/Exact.SearchBar No disinfected C:\WINDOWS\system32\exul1.exe Virus:Bck/OptixPro.AB Disinfected C:\WINDOWS\system32\msiexec16.exe |
|
|
|
11-20-2005, 01:36 AM
|
#13 (permalink) |
|
Platinum Member
Join Date: Sep 2005
Location: Miami, FL
Age: 21
Posts: 505
|
Logfile of HijackThis v1.99.1
Scan saved at 7:36:25 PM, on 11/19/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Jonathan\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com/start.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/ R3 - URLSearchHook: HyperSearchHook - {D86BDD9B-A435-456F-B072-90E720DE9F83} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing) F0 - system.ini: Shell=Explorer.exe c:\windows\system32\winmsn.exe F1 - win.ini: run=c:\windows\system32\winmsn.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll O2 - BHO: (no name) - {413EC4AA-03C4-3FF7-6A60-CF8520C59F9E} - C:\DOCUME~1\Jonathan\APPLIC~1\SETUPE~1\loud knob.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Win zite] C:\WINDOWS\\\\\\\\\\\\\\ O4 - HKLM\..\Run: [play move test date] C:\Documents and Settings\All Users\Application Data\Acid rdr play move\bone software.exe O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\server.exe O4 - HKCU\..\Run: [METABOOB] C:\DOCUME~1\Jonathan\APPLIC~1\BALM16~1\Insidename. exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095105930035 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\JONATHAN\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) |
|
|
|
|
11-20-2005, 01:43 AM
|
#14 (permalink) |
|
Digaredd
 
Join Date: May 2005
Location: Melbourne AU
Posts: 6,729
|
I gotta get to bed now, I'll get back to it tomorow, run Ewido in the meantime.
http://download.ewido.net/ewido-setup.exe Update it and run a full scan, in safemode preferably, then reboot and post a new Hijackthis log.
__________________
The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight! |
|
|
|
|
11-21-2005, 12:36 AM
|
#15 (permalink) |
|
Platinum Member
Join Date: Sep 2005
Location: Miami, FL
Age: 21
Posts: 505
|
Logfile of HijackThis v1.99.1
Scan saved at 6:35:09 PM, on 11/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Steam\Steam.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Jonathan\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com/start.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/ R3 - URLSearchHook: HyperSearchHook - {D86BDD9B-A435-456F-B072-90E720DE9F83} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing) F0 - system.ini: Shell=Explorer.exe c:\windows\system32\winmsn.exe F1 - win.ini: run=c:\windows\system32\winmsn.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll O2 - BHO: (no name) - {413EC4AA-03C4-3FF7-6A60-CF8520C59F9E} - C:\DOCUME~1\Jonathan\APPLIC~1\SETUPE~1\loud knob.exe (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Win zite] C:\WINDOWS\\\\\\\\\\\\\\ O4 - HKLM\..\Run: [play move test date] C:\Documents and Settings\All Users\Application Data\Acid rdr play move\bone software.exe O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\server.exe O4 - HKCU\..\Run: [METABOOB] C:\DOCUME~1\Jonathan\APPLIC~1\BALM16~1\Insidename. exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095105930035 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\JONATHAN\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) Thats the final..... I still get pop ups when I use IE, and when I play a game that takes the whole screen, other than that... just slow performance. |
|
|
|
|
11-21-2005, 03:50 PM
|
#16 (permalink) |
|
Digaredd
Join Date: May 2005
Location: Melbourne AU
Posts: 6,729
|
Download Ccleaner.
http://www.filehippo.com/download/oc.../download.html Unzip it to the desktop but don't run it yet. [*]Download the Killbox.[*]Unzip it to the desktop but do NOT run it yet.[*]Then reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.[*]Once in Safe Mode, run Killbox.[*]Click "Delete on Reboot".[*]Paste the following into the top "Full Path of File to Delete" box.
Do the same with these files. C:\WINDOWS\Buddy.exe C:\Documents and Settings\Jonathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5ad1bcbe-1e2c5e81.zip C:\windows\system32\winmsn.exe C:\WINDOWS\system32\server.exe Run Hijackthis and select "Do a system scan only", place a check by the following entries. R3 - URLSearchHook: HyperSearchHook - {D86BDD9B-A435-456F-B072-90E720DE9F83} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing) F0 - system.ini: Shell=Explorer.exe c:\windows\system32\winmsn.exe F1 - win.ini: run=c:\windows\system32\winmsn.exe O2 - BHO: (no name) - {413EC4AA-03C4-3FF7-6A60-CF8520C59F9E} - C:\DOCUME~1\Jonathan\APPLIC~1\SETUPE~1\loud knob.exe (file missing) O4 - HKLM\..\Run: [Win zite] C:\WINDOWS\\\\\\\\\\\\\\ O4 - HKLM\..\Run: [play move test date] C:\Documents and Settings\All Users\Application Data\Acid rdr play move\bone software.exe O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\server.exe O4 - HKCU\..\Run: [METABOOB] C:\DOCUME~1\Jonathan\APPLIC~1\BALM16~1\Insidename. exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\JONATHAN\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) Close all open windows and browsers, and hit "Fix Checked". Reconfigure Windows XP to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. Delete these folders. C:\Documents and Settings\All Users\Application Data\Acid rdr play move C:\Documents and Settings\Jonathan\Application Data\balm16two Delete everything in this Temp folder (not the Temp folder itself). C:\Documents and Settings\Jonathan\Local Settings\Temp Then run Ccleaner. Then reboot to normal mode and post a new Hijackthis log.
__________________
The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight! |
|
|
|
|
11-22-2005, 06:42 AM
|
#18 (permalink) |
|
Platinum Member
Join Date: Sep 2005
Location: Miami, FL
Age: 21
Posts: 505
|
Ok I did all that... this is files in the Temp folder - 1,441, and it said this after CCleaner - 332.8MB removed.
Heres the new hijack log: Logfile of HijackThis v1.99.1 Scan saved at 12:40:49 AM, on 11/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Jonathan\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com/start.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095105930035 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\JONATHAN\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) Also on start up, the WINDOWS folder kept popping up... didnt do that. |
|
|
|
|
11-22-2005, 04:48 PM
|
#19 (permalink) |
|
Digaredd
Join Date: May 2005
Location: Melbourne AU
Posts: 6,729
|
Looking much better.
 Just a bit of tidying up to do. Hit Start >Run, type services.msc. Scroll down until you find the service AntiVir Update Temp, and double-click on it. Hit "Stop" and change the "Startup Type" to "Disabled". Hit "Apply", then "Ok". Then run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type TmpUpSrv and press OK. OK any prompts, then go back to the misc tools section. Select "generate startuplist log". When the log opens, scroll down to Enumerating Task Scheduler jobs: and post what's listed there.
__________________
The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight! |
|
|
|
|
11-24-2005, 06:38 PM
|
#20 (permalink) |
|
Platinum Member
Join Date: Sep 2005
Location: Miami, FL
Age: 21
Posts: 505
|
Enumerating Task Scheduler jobs:
DBFE30729E35AF2A.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab [BlueStream_Flash Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\Rovion.dll CODEBASE = http://www.rovion.com/Controls/Rovion.cab [WUWebControl Class] InProcServer32 = C:\WINDOWS\system32\wuweb.dll CODEBASE = http://v5.windowsupdate.microsoft.co...?1095105930035 [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab -------------------------------------------------- |
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
