Help with a virus (hijackthis log file)

its_me123 · 03-29-2006, 09:16 AM

Hey

This is a followup on my other post, I got told to run a Hijackthis and post the log file, I see in there that iexplorer.exe which is intenret explorer i think is opened as soon as i start my comp up whch is odd because I don't see it opened, and the xpupdate.exe looks suspicious because when I close that the popup you comp is in danger goes away...

logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:09 PM, on 29/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Oleansoft\Hc\Hce.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\xpupdate.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\WINDOWS\system32\sistray.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Jamie\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe

**Buzz1927** · 03-29-2006, 11:14 AM

Uninstall Viewpoint Manager.

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10

Close all open windows and browsers, and hit "Fix Checked".

Delete these files.

D:\WINDOWS\system32\yaemu.exe
C:\Windows\xpupdate.exe

Please download, install, and update the NEW free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. Select "Remove" and "Perform action on all Infections" and "Create encrypted backup".
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then restart the computer and post a new Hijackthis log.

its_me123 · 03-29-2006, 09:01 PM

ok heres another one after I followed your instructions: I no longer have any popups

Logfile of HijackThis v1.99.1
Scan saved at 5:59:56 AM, on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Oleansoft\Hc\Hce.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\WINDOWS\system32\sistray.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Jamie\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe

**Buzz1927** · 03-29-2006, 10:04 PM

Looks good mate.

03-29-2006, 09:16 AM	#1 (permalink)
its_me123 Bronze Member Join Date: Mar 2006 Posts: 29	Help with a virus (hijackthis log file) Hey This is a followup on my other post, I got told to run a Hijackthis and post the log file, I see in there that iexplorer.exe which is intenret explorer i think is opened as soon as i start my comp up whch is odd because I don't see it opened, and the xpupdate.exe looks suspicious because when I close that the popup you comp is in danger goes away... logfile: Logfile of HijackThis v1.99.1 Scan saved at 6:13:09 PM, on 29/03/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\savedump.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\Program Files\Oleansoft\Hc\Hce.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\AIM95\aim.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Internet Explorer\iexplore.exe C:\Windows\xpupdate.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe D:\WINDOWS\system32\sistray.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Documents and Settings\Jamie\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe

03-29-2006, 11:14 AM	#2 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 7,582	Uninstall Viewpoint Manager. Run Hijackthis and select "Do a system scan only", place a check by the following entries. O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 Close all open windows and browsers, and hit "Fix Checked". Delete these files. D:\WINDOWS\system32\yaemu.exe C:\Windows\xpupdate.exe Please download, install, and update the NEW free version of Ewido trojan scanner: When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. If ewido finds anything, it will pop up a notification. Select "Remove" and "Perform action on all Infections" and "Create encrypted backup". When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Then restart the computer and post a new Hijackthis log. __________________ Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi

03-29-2006, 10:04 PM	#4 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 7,582	Looks good mate. __________________ Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-29-2006, 09:01 PM	#3 (permalink)
its_me123 Bronze Member Join Date: Mar 2006 Posts: 29	ok heres another one after I followed your instructions: I no longer have any popups Logfile of HijackThis v1.99.1 Scan saved at 5:59:56 AM, on 30/03/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\savedump.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Oleansoft\Hc\Hce.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\AIM95\aim.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe D:\WINDOWS\system32\sistray.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wuauclt.exe D:\Documents and Settings\Jamie\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe