Logfile of HijackThis v1.99.1
Scan saved at 5:37:55 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and
icons will disappear and reappear, and a window should open and close
very quickly --- this is normal.
Then please run Ewido, and run a full scan. Save the logfile from the scan.
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
Logfile of HijackThis v1.99.1
Scan saved at 10:56:43 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:47:16 PM, 6/25/2005
+ Report-Checksum: 9FCE90C0
+ Date of database: 6/26/2005
+ Version of scan engine: v3.0
+ Duration: 32 min
+ Scanned Files: 144225
+ Speed: 75.09 Files/Second
+ Infected files: 66
+ Removed files: 66
+ Files put in quarantine: 66
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq10.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq12.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq13.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq14.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq18.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1A.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1E.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1F.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq23.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq25.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq26.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq27.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2B.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2C.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2E.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2F.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq31.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq32.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq33.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq35.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq36.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq46.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq4C.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq79.tmp/C:/WINDOWS/system32/nvms.dll -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq79.tmp/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/WINDOWS/system32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/cb.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/flash.exe -> Spyware.BargainBuddy.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq88.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq89.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq8A.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqC.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqD.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@46842095[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@dcs2omr9fpifwznrgv67zf9ub_7p8i[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@LPpacificsunwear[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0048697.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0048698.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0048946.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0048947.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048959.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048960.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048968.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049008.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049049.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049050.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049052.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049069.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049070.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049099.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049100.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049131.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049132.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049136.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049142.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
You still have a number of evils in your hijackthis log. I'd go to
Spyware Removal , Go to "Spyware Removal" and go to each of the 3 tutorials, spybot search and destroy, AdAware, and Microsoft Antispy. I'd run all 3 of those then post another log. I'd also try
http://housecall.trendmicro.com try their online spyware and virus remover. I've had good luck with both in the past.
Be sure to look this solution over before you begin. There are a some item(s) I'm not familar with. If you recognze any, then just omit them from this fix.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present ...
(Unless you've set these with a anti-spyware program like SpyBot'sImmunize feature, have HiJackThis fix this.)
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Reboot and post back a new log, and let me know how everything goes.
Steve
Message Edited by zbestwun2001 on 06-26-2005 12:28 PM
I just noticed that you have the Qoologic infection that requires another process to remove it.
Run the trial version of Ewido Security Suite one more time
Run it in safe mode, and don't open any windows or folders that you dont need to, and also disconnect from the Internet.
Run the scan and post back the results in this thread.
Steve
Message Edited by zbestwun2001 on 06-26-2005 01:31 PM
Jumping into a thread that is already being troubleshot is against the rules of this board. Please read this FAQ, HijackThis Guidelines (These will evolve. Private message me with any ideas), found here:
http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=6918
Maybe a more appropriate name would be, Hijackthis FORUM guidelines. Or Hijackthis FORUM rules. The way it is named, it seems that it would be guidelines for running hijackthis.
Also, you HAVE a "hijackthis before posting" listing and I READ that before I posted. No where does it say when to post and when not to post! Also, don't let the fact that I don't have some PRESTIGIOUS membership with a well respected group like ASAP fool you, I've reverse engineered more programs than you can shake a stick at! (legally reverse engineeered if I forgot to mention that?) Also had some of my research findings out on such lowly mailing lists as bugtraq and other such lowly places like cert.org. Though I'm going to get the prestige one day ;) I WILL!
Here's another problem we might need to address. The "owership" rule can be bad in one way, that i've seen so far. It can be used to lock up multiple threads, preventing others from helping out (not to say that anyone has done that) - and that can be very frustrating.
Back when I was the only responder, keeping up the threads was important, but now we have mulitple helpers coming online from all over, many of them just coming out of the malware 'schools' and needing experience working with victims - so helping them to suceed in that, will help everyone out overall.
I would certainly say someone has "locked up multiple threads" and I have certainly seen that and there would certainly be someone specific in mind. Now, did they do this maliciously or for ulterior motive? That I couldn't comment on because I don't know. There are a bunch of ways the ownership rule can be bad, since one person doesn't know everything (contrary to many personal beliefs) it then limits who can respond to a thread or a question. Also, I don't like to post on the beginning of a thead because I don't have nice easy to cut and paste instructions for people. I'm also confused as to why I keep seeing ewido suite recommended when it isn't free software yet you have the 3 best on the market (ms antispy, spybot, and adaware) NOT being recommended. Want an example of a rule broken thread that ended up with a fix from a rule breaker? (I contributed not knowing the rules, otherwise they'd still be stuck without a computer!) I'm sure you all can give me examples of a thread where multiple posters messed things up too and I can also give you threads where thread owners gave bad advice. etc. etc. It happens, people make mistakes and no one is all knowing.
http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=7344#M7344 There everyone on the thread was wanting HJT info. When it wasn't even spyware causing the problem, most likely a bad install of Norton. (not saying I'm more intelligent than those on the thread either, I've had experience with this problem with norton, the thread OWNER obviously hasn't, doens't make anyone more or less intelligent or knowledgable)
The thead ownership is just anti-message forums in ever stretch of the imagination! It's like censorship. I also am not typically on here more than maybe 10 or 15 minutes a day. So any contribution I could bring would certainly be lost. OH also, why wouldn't you have instructions on taking people into safemode, have them run spybot/adaware/ms antispy etc and then have them come post their hijackthis thread after they are mostly clean. Basically everyone that posts their logs haven't even done the minimum first. Let this forum be one for tricky spyware, not basic easily removed in safemode stuff.
I saw from that thread, that you were wanting to be part of ASAP. Did you have the link to apply? Also, you don't need to be an admin/ownder of a forum to be a member.
might be true, but the reverse can be said of the others as well. I recall seeing a richup.exe still leftover after ewido was run and if I remember about 6 or so months ago, adaware was removing that with no issue. Of course it is common knowledge that 3 or 4 scanners would be better than one. If it were possible and not system resource problematic and stability problematic etc. etc. It would be better to run 12 virus scanners.
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 25th, 2005 21:00
Steve
Message Edited by zbestwun2001 on 06-25-2005 03:37 PM
oHcHuTe
47 Posts
0
June 25th, 2005 23:00
Scan saved at 5:37:55 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\kljmam.exe
C:\WINDOWS\system32\kd1onfig.exe
C:\Program Files\Cas\Client\casclient.exe
c:\windows\system32\fcvoec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\victor ceniceros\My Documents\Downloads\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitekad32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kljmam.exe reg_run
O4 - HKLM\..\Run: [37rj3qj] kilbk32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [rlgodpv] c:\windows\system32\fcvoec.exe r
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Iw0tRkHsX] kd1onfig.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.phoenix.aleks.com/aleks/j2re/install_j2re.cab?cache
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 26th, 2005 01:00
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and
icons will disappear and reappear, and a window should open and close
very quickly --- this is normal.
Then please run Ewido, and run a full scan. Save the logfile from the scan.
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis
log, as well as the log from the Ewido scan.
Steve
oHcHuTe
47 Posts
0
June 26th, 2005 05:00
Logfile of HijackThis v1.99.1
Scan saved at 10:56:43 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\EXPLORER.EXE
C:\Documents and Settings\victor ceniceros\My Documents\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [37rj3qj] kilbk32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kljmam.exe reg_run
O4 - HKCU\..\Run: [Iw0tRkHsX] kd1onfig.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: dukt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.phoenix.aleks.com/aleks/j2re/install_j2re.cab?cache
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Here is the other one:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:47:16 PM, 6/25/2005
+ Report-Checksum: 9FCE90C0
+ Date of database: 6/26/2005
+ Version of scan engine: v3.0
+ Duration: 32 min
+ Scanned Files: 144225
+ Speed: 75.09 Files/Second
+ Infected files: 66
+ Removed files: 66
+ Files put in quarantine: 66
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq10.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq12.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq13.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq14.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq18.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1A.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1D.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1E.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq1F.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq22.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq23.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq25.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq26.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq27.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2B.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2C.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2E.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2F.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq31.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq32.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq33.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq35.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq36.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq46.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq4C.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq79.tmp/C:/WINDOWS/system32/nvms.dll -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq79.tmp/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/WINDOWS/system32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/cb.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq7B.tmp/C:/Program Files/CashBack/bin/flash.exe -> Spyware.BargainBuddy.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq88.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq89.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq8A.tmp -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqC.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqD.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@46842095[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@dcs2omr9fpifwznrgv67zf9ub_7p8i[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Cookies\victor ceniceros@LPpacificsunwear[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\victor ceniceros\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0048697.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0048698.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0048946.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0048947.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048959.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048960.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0048968.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049008.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049049.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049050.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049052.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049069.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049070.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049099.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049100.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049131.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049132.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049136.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0049142.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
::Report End
scottlarockman
68 Posts
0
June 26th, 2005 10:00
O4 - HKLM\..\Run: [37rj3qj] kilbk32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kljmam.exe reg_run
O4 - HKCU\..\Run: [Iw0tRkHsX] kd1onfig.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: dukt.exe
I'm unable to find any info on this, but it is at high suspicion for being a little demon.
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 26th, 2005 12:00
Let's continue on with the fix...
-
Be sure to look this solution over before you begin. There are a some item(s) I'm not familar with. If you recognze any, then just omit them from this fix.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [37rj3qj] kilbk32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kljmam.exe reg_run
O4 - HKCU\..\Run: [Iw0tRkHsX] kd1onfig.exe
O4 - Global Startup: dukt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
... (Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\Program Files\Eset
files...
C:\WINDOWS\system32\richup.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\system32\kljmam.exe
Search for...
kilbk32.exe
kd1onfig.exe
dukt.exe
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Reboot and post back a new log, and let me know how everything goes.
Steve
Message Edited by zbestwun2001 on 06-26-2005 12:28 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 26th, 2005 17:00
Run the trial version of Ewido Security Suite one more time
Run it in safe mode, and don't open any windows or folders that you dont need to, and also disconnect from the Internet.
Run the scan and post back the results in this thread.
Steve
Message Edited by zbestwun2001 on 06-26-2005 01:31 PM
DELL-Chris M
Community Manager
•
56.9K Posts
0
June 26th, 2005 18:00
Jumping into a thread that is already being troubleshot is against the rules of this board. Please read this FAQ, HijackThis Guidelines (These will evolve. Private message me with any ideas), found here:
http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=6918
scottlarockman
68 Posts
0
June 26th, 2005 19:00
DELL-Chris M
Community Manager
•
56.9K Posts
0
June 26th, 2005 20:00
Midnight Star
4.8K Posts
0
June 26th, 2005 21:00
Here's another problem we might need to address. The "owership" rule can be bad in one way, that i've seen so far. It can be used to lock up multiple threads, preventing others from helping out (not to say that anyone has done that) - and that can be very frustrating.
Back when I was the only responder, keeping up the threads was important, but now we have mulitple helpers coming online from all over, many of them just coming out of the malware 'schools' and needing experience working with victims - so helping them to suceed in that, will help everyone out overall.
==========
Mike.
scottlarockman
68 Posts
0
June 26th, 2005 21:00
Midnight Star
4.8K Posts
0
June 26th, 2005 22:00
I saw from that thread, that you were wanting to be part of ASAP. Did you have the link to apply? Also, you don't need to be an admin/ownder of a forum to be a member.
==========
Mike.
scottlarockman
68 Posts
0
June 26th, 2005 22:00
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 26th, 2005 22:00
thanks
Steve