Spyware malware the common

SearchEnDie · 07-06-2006, 07:36 AM

My brother kinda downloaded stuff. I do not know, and one day all thease pop ups showed. thanks! if you help

!!

Logfile of HijackThis v1.99.1
Scan saved at 11:55:03 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zkaqbbo.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\dfndrc_4a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\zkaqbboA.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\??sks\winspool.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX09.813\Hijack This.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [defender] C:\\dfndrc_4a.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [zkaqbboA] C:\WINDOWS\zkaqbboA.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rtsi] "C:\WINDOWS\SSTEM3~1\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Zdhqholq] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [Eyeomp] C:\Documents and Settings\User\My Documents\?ssembly\msdtc.exe
O4 - HKCU\..\Run: [Fiiubse] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [Otse] "C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [Bear] C:\WINDOWS\??sks\winspool.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149103758593
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169590.dll C:\WINDOWS\system32\fast.dll,C:\PROGRA~1\KASPER~1\ KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\l6j8lg1u16.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zkaqbbo.exe

**Buzz1927** · 07-06-2006, 09:54 PM

Download, install, update and scan your system with the free version of Ewido Security Suite:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log.

SearchEnDie · 07-08-2006, 02:41 AM

I will get the ewido later. but here is hjt

Logfile of HijackThis v1.99.1
Scan saved at 6:40:29 AM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.563\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [defender] C:\\dfndrc_4a.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rtsi] "C:\WINDOWS\SSTEM3~1\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Zdhqholq] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [Eyeomp] C:\Documents and Settings\User\My Documents\?ssembly\msdtc.exe
O4 - HKCU\..\Run: [Fiiubse] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE
O4 - HKCU\..\Run: [Otse] "C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [Bear] C:\WINDOWS\??sks\winspool.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149103758593
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169590.dll c:\progra~1\kasper~1\kasper~1.0\adialhk.dll fast.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\l6j8lg1u16.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

NOT SAFE MODE

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4XONSJ4J\send_car_int[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\85OPYRK5\send_ocx_sof[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IT0JQPY5\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken.
C:\Documents and Settings\User\Cookies\user@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\User\Cookies\user@www.adtrak[2].txt -> TrackingCookie.Adtrak : No action taken.
C:\Documents and Settings\User\Cookies\user@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\User\Cookies\user@qksrv[2].txt -> TrackingCookie.Qksrv : No action taken.
C:\Documents and Settings\User\Cookies\user@revenue[1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\User\Cookies\user@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\User\Cookies\user@media.top-banners[1].txt -> TrackingCookie.Top-banners : No action taken.
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end

07-06-2006, 07:36 AM	#1 (permalink)
SearchEnDie Bronze Member Join Date: Apr 2005 Posts: 42	Spyware malware the common My brother kinda downloaded stuff. I do not know, and one day all thease pop ups showed. thanks! if you help !! Logfile of HijackThis v1.99.1 Scan saved at 11:55:03 PM, on 7/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\zkaqbbo.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\dfndrc_4a.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\zkaqbboA.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\WINDOWS\??sks\winspool.exe C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\msiexec.exe C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX09.813\Hijack This.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [defender] C:\\dfndrc_4a.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [zkaqbboA] C:\WINDOWS\zkaqbboA.exe O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Rtsi] "C:\WINDOWS\SSTEM3~1\ntvdm.exe" -vt yazr O4 - HKCU\..\Run: [Zdhqholq] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [Eyeomp] C:\Documents and Settings\User\My Documents\?ssembly\msdtc.exe O4 - HKCU\..\Run: [Fiiubse] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [Otse] "C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe" -vt yazr O4 - HKCU\..\Run: [Bear] C:\WINDOWS\??sks\winspool.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BlueSoleil.lnk = ? O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149103758593 O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: repairs303169590.dll C:\WINDOWS\system32\fast.dll,C:\PROGRA~1\KASPER~1\ KASPER~1.0\adialhk.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\l6j8lg1u16.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zkaqbbo.exe

07-06-2006, 09:54 PM	#2 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,728	Download, install, update and scan your system with the free version of Ewido Security Suite: 1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". 2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. 3. From the main ewido screen, click on update in the left menu, then click the Start update button. 4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode: Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack.... If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

07-08-2006, 02:41 AM	#3 (permalink)
SearchEnDie Bronze Member Join Date: Apr 2005 Posts: 42	I will get the ewido later. but here is hjt Logfile of HijackThis v1.99.1 Scan saved at 6:40:29 AM, on 7/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\WinRAR\WinRAR.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.563\Hijack This.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [defender] C:\\dfndrc_4a.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_4.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Rtsi] "C:\WINDOWS\SSTEM3~1\ntvdm.exe" -vt yazr O4 - HKCU\..\Run: [Zdhqholq] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [Eyeomp] C:\Documents and Settings\User\My Documents\?ssembly\msdtc.exe O4 - HKCU\..\Run: [Fiiubse] C:\PROGRA~1\MANTEC~1\SRVICE~1.EXE O4 - HKCU\..\Run: [Otse] "C:\PROGRA~1\COMMON~1\MBOLS~1\spoolsv.exe" -vt yazr O4 - HKCU\..\Run: [Bear] C:\WINDOWS\??sks\winspool.exe O4 - Global Startup: BlueSoleil.lnk = ? O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149103758593 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: repairs303169590.dll c:\progra~1\kasper~1\kasper~1.0\adialhk.dll fast.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\l6j8lg1u16.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe NOT SAFE MODE C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4XONSJ4J\send_car_int[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken. C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\85OPYRK5\send_ocx_sof[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken. C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IT0JQPY5\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken. C:\Documents and Settings\User\Cookies\user@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken. C:\Documents and Settings\User\Cookies\user@www.adtrak[2].txt -> TrackingCookie.Adtrak : No action taken. C:\Documents and Settings\User\Cookies\user@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken. C:\Documents and Settings\User\Cookies\user@qksrv[2].txt -> TrackingCookie.Qksrv : No action taken. C:\Documents and Settings\User\Cookies\user@revenue[1].txt -> TrackingCookie.Revenue : No action taken. C:\Documents and Settings\User\Cookies\user@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken. C:\Documents and Settings\User\Cookies\user@media.top-banners[1].txt -> TrackingCookie.Top-banners : No action taken. C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken. ::Report end Last edited by SearchEnDie; 07-08-2006 at 03:07 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode