Infected system - Gladiator Security Forum

Forum Rules

Greetings,

Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum

Failure to follow these instructions will only result in delays of the cleaning and removal process.

If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.

Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.

Thank You

Infected system

Options

darren62 View Member Profile	Jan 3 2006, 07:28 AM Post #1
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	I think i've been infected. I had spy sherift and win hound 2 days ago. Then i went to download spybot - search and destroy to scan my com. Since the day i scanned and deleted(by add/remove prog uninstalling them. So i wouldn't know if i removed them completely.) spy sherift and win hound, each time i reboot , on the com , i get this error message that kernel64 is missing and the windows explorer is not working properly. My HijackThis log : Logfile of HijackThis v1.99.1 Scan saved at 3:18:41 PM, on 1/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\inet20001\winlogon.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\Explorer.exe C:\Program Files\FlashGet\flashget.exe C:\Program Files\WinAce\WinAce.exe C:\DOCUME~1\darren\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKLM\..\Run: [Windows Services] service32.exe O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe O4 - HKLM\..\RunServices: [Windows Services] service32.exe O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Windows Services] service32.exe O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\RunServices: [Windows Services] service32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://.softnyx.net O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Need help pls thanks. This post has been edited by darren62*: Jan 3 2006, 07:52 AM

Bobbi Flekman View Member Profile	Jan 3 2006, 11:16 AM Post #2
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi darren62, Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido: Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply. Let us know if any problems persist. --------------------

darren62 View Member Profile	Jan 4 2006, 07:00 AM Post #3
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	um.. i clicked the panda active scan short cut and im brought back to the web. i clicked on local disk to scan but nothing happens. This post has been edited by darren62: Jan 4 2006, 08:58 AM

Bobbi Flekman View Member Profile	Jan 4 2006, 10:46 AM Post #4
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Weird.... Can you try this link: http://www.pandasoftware.com/activescan/ac...17490&Idpais=63 Do you use Internet Explorer at the Panda site? --------------------

darren62 View Member Profile	Jan 4 2006, 03:46 PM Post #5
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	Ok this is weird. Either my browser is not IE 0.5 and above, or something is wrong. I tried downloading IE 0.6 but they(microsoft) said i have a newer version than IE 0.6 This post has been edited by darren62: Jan 4 2006, 03:51 PM

Bobbi Flekman View Member Profile	Jan 5 2006, 11:10 AM Post #6
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	From your logs I would say you are at Internet Explorer 6, fully updated and all. QUOTE MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) How are the ActiveX settings in Internet Explorer? --------------------

darren62 View Member Profile	Jan 6 2006, 05:05 AM Post #7
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	Well its working. When i first entered the site(panda active scan), i was required to download activeX prog for the panda active scan site. I've downloaded it and i tried again clicking at local disk it still doesn't work. The only problems i have so far is occasion windows explorer error.

Bobbi Flekman View Member Profile	Jan 6 2006, 12:32 PM Post #8
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Good that it works. Can you still post the logs I asked for? --------------------

darren62 View Member Profile	Jan 8 2006, 07:16 PM Post #9
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	Sorry for the late reply. I couldn't get the panda active scan to work. But here are the rest of the logs that u requested ^_^ smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Wed 01/04/2006 The current time is: 15:36:24.64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key present! Running WinHound.com fix! WinHound.com key was successfully removed! :) spyaxe uninstaller NOT present Winhound uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Install.dat ~~~ Favorites ~~~ ~~~ system32 folder ~~~ svcp.csv oleext32.dll intell32.exe oleext.dll logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ uninstIU.exe desktop.html ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacok@beyondlogic.org Killing PID 736 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) Logfile of HijackThis v1.99.1 Scan saved at 3:13:57 AM, on 1/9/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\e-Games\RAN_Online(en)\RANLauncher(en).exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\darren\My Documents\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [Windows Services] service32.exe O4 - HKLM\..\RunServices: [Windows Services] service32.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Services] service32.exe O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunServices: [Windows Services] service32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://.softnyx.net O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:49:01 PM, 1/4/2006 + Report-Checksum: 262AF488 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{31EE3286-D785-4E3F-95FC-51D00FDABC01} -> Downloader.Delf.aeo : Cleaned with backup HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup [204] C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup [1836] C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup C:\WINDOWS\system32\msvcrl.dll -> Dropper.Agent.afj : Cleaned with backup C:\WINDOWS\system32\sachostp.exe -> Dropper.Agent.afj : Cleaned with backup C:\WINDOWS\system32\sachostw.exe -> Dropper.Agent.afj : Cleaned with backup C:\WINDOWS\system32\sachostc.exe -> Dropper.Agent.afj : Cleaned with backup C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup C:\WINDOWS\system32\sachosts.exe -> Dropper.Agent.afj : Cleaned with backup C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_171900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_172100.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_172200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_172300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_173200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_187300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_187400.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_206900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153300.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_206900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153300.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153400.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153500.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153600.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_217400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_313200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_346600.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_346900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_382400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153500.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_153600.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_313200.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_346600.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_346900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_282500.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_282500.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_113700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_2_382400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_229200.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_230700.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_230900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_231200.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_113700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_2_171900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_2_172100.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_3_172200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_3_172300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_3_173200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_382400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_207400.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_207400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436500.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436800.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_160800.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_160900.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_161000.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438500.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438600.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_160800.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_160900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_161000.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438300.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438500.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_438600.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_228300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_138300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_138300.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_436100.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_149700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_149700.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_273100.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_273100.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_120800.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_128600.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_130800.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_158700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_166900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_220000.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_220100.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436100.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436300.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436500.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_220000.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_220100.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436700.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436800.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_4_436900.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_221500.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_297200.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_314300.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_359400.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_221500.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_297200.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_314300.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_220000.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_220100.swf -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_295400.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_4_396600.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_220000.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_220100.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_1_130800.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_1_0_453800.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup C:\WINDOWS\system32\paradise.raw.exe -> Proxy.Lager.f : Cleaned with backup C:\WINDOWS\system32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup C:\WINDOWS\alt.exe -> Hijacker.Delf.eb : Cleaned with backup C:\WINDOWS\sachostx.exe -> Worm.Locksky.q : Cleaned with backup C:\WINDOWS\adsldpbf.dll -> Downloader.Delf.lh : Cleaned with backup C:\WINDOWS\inet20001\services.exe -> Downloader.CWS.r : Cleaned with backup C:\WINDOWS\inet20001\winlogon.exe -> Downloader.CWS.r : Cleaned with backup C:\WINDOWS\inet20001\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup C:\WINDOWS\inet20001\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup C:\WINDOWS\inet20001\mm4.exe -> Proxy.Delf.an : Cleaned with backup C:\WINDOWS\inet20001\alg.exe.bak -> Worm.Delf.i : Cleaned with backup C:\WINDOWS\inet20001\alg.exe -> Worm.Delf.i : Cleaned with backup C:\WINDOWS\g41429093.dll -> Downloader.Delf.aeo : Cleaned with backup C:\Documents and Settings\darren\Local Settings\Temporary Internet Files\Content.IE5\XFQARHHX\xp_0031[1].exe -> Worm.Locksky.q : Cleaned with backup C:\Documents and Settings\darren\Cookies\darren@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup C:\Documents and Settings\darren\Cookies\darren@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\darren\Cookies\darren@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\darren\temp.bak -> Worm.Locksky.q : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000010.exe -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000012.dll -> Adware.PSGuard : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000019.exe -> Proxy.Delf.an : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000020.exe -> Worm.Delf.i : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001019.exe -> Proxy.Delf.an : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001020.exe -> Worm.Delf.i : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001028.exe -> Proxy.Delf.an : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001029.exe -> Worm.Delf.i : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001037.exe -> Downloader.Small.vu : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001038.dll -> Trojan.Small.ev : Cleaned with backup C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001039.exe -> Trojan.Small.ev : Cleaned with backup C:\boot.inx -> Downloader.FakeAntiSpyware : Cleaned with backup ::Report End thats all.. thanks for all your help ^_^... is there still anything wrong with my computer other than the windows explorer error O_O?

Bobbi Flekman View Member Profile	Jan 9 2006, 10:44 AM Post #10
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi darren62, We're not out of the woods yet... You have a CoolWebSearch Infection. Please download CoolWebShredder, from http://www.trendmicro.com/cwshredder/ Extract CWShredder to its own folder. Restart in Safe Mode (How do I Safe Boot my computer?) and run the program. Be sure all open windows are closed. Click the "Fix ->" button. Make sure you let it fix all CWS Remnants. Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil. Close all windows, open the win32delfkil folder and double click on fix.bat. The computer will reboot automatically. Post the contents of the logfile c\windelf.txt, along with a new hijackhislog. --------------------

darren62 View Member Profile	Jan 10 2006, 12:54 AM Post #11
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	Logfile of HijackThis v1.99.1 Scan saved at 8:52:01 AM, on 1/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_06 \bin\jusched.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\ewido anti- malware\ewidoctrl.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\darren\My Documents\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F- C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 \Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0- 462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773- 474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA- 11D3-9CD9-0090271D075B} - C:\PROGRA~1 \FLASHGET\jccatch.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946- 4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001 \en-us\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD- A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06 \bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" - atboottime O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [Windows Services] service32.exe O4 - HKLM\..\RunServices: [Windows Services] service32.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Services] service32.exe O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunServices: [Windows Services] service32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10 \OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1 \MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0- 4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0- E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1 \FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: Messenger - {FB5F1910- F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://.softnyx.net O16 - DPF: {0E5F0222-96B9-11D3-8997- 00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop .CAB O16 - DPF: {17492023-C23A-453E-A040- C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF- 494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSwe eper.cab31267.cab O16 - DPF: {48884C41-EFAC-433D-958A- 9FADAC41408E} (EGamesPlugin Class) - https://www.e- games.com.my/com/EGamesPlugin.cab O16 - DPF: {56393399-041A-4650-94C7- 13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan. cab O16 - DPF: {6414512B-B978-451D-A0D8- FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6 /V5Controls/en/x86/client/wuweb_site.cab? 1121153143218 O16 - DPF: {6E32070A-766D-4EE6-879C- DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/ v6/V5Controls/en/x86/client/muweb_site.cab? 1130976709265 O16 - DPF: {8E0D4DE5-3180-4024-A327- 4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messeng erStatsClient.cab31267.cab O16 - DPF: {9122D757-5A4F-4768-82C5- B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDir ectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {9732FB42-C321-11D1-836F- 00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12- D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDir ectory/P4Apps/PhotoSwap/DigWXMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A- 595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesseng erSetupDownloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009 -854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1 \msgrapp.dll" (file missing) O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe *********************** * WIN32DELFKIL LOGFILE * ********************** by Marckie BEFORE RUNNING WIN32DELFKIL ************************* File(s) found in Windows directory ---------------------------------- adsldpbf.dll alt.exe File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! The logs u need. Any other problems beside the windows explorer problem im still having?

Bobbi Flekman View Member Profile	Jan 10 2006, 11:35 AM Post #12
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi darren62, Was that the complete log from the Delfkiller? It seems to be missing something... You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread. Run HijackThis, click on "Scan" and check the boxes next to all these items. O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [Windows Services] service32.exe O4 - HKLM\..\RunServices: [Windows Services] service32.exe O4 - HKCU\..\Run: [Windows Services] service32.exe O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe O4 - HKCU\..\RunServices: [Windows Services] service32.exe O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://*.softnyx.net O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\sysldr32.exe C:\WINDOWS\system32\sywsvcs.exe C:\WINDOWS\system32\service32.exe C:\WINDOWS\system32\browsela.dll C:\WINDOWS\system32\msupdate32.dll Restart your computer and post a new log in this thread. I don't want to address the problem with Explorer as long as the log is not clean. It might have come thanks to the malware on your system... --------------------

darren62 View Member Profile	Jan 10 2006, 09:00 PM Post #13
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	I wasn't able to find the rest of the files to delete. I found C:\WINDOWS\system32\browsela.dll But i wasn't able to delete it. It says that the file is being used by another program and i can't move it either.

Bobbi Flekman View Member Profile	Jan 11 2006, 10:25 AM Post #14
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi darren62, Did you run the delfkill program? Browsela is part of Win.Delf, and that should have taken care of it. Can you run it again, and post the complete c:\windelf.txt file. --------------------

darren62 View Member Profile	Jan 12 2006, 12:42 AM Post #15
Active Member Group: Active Members Posts: 24 Joined: 3-January 06 Member No.: 17333	************************ * WIN32DELFKIL LOGFILE * ********************** by Marckie BEFORE RUNNING WIN32DELFKIL *********************** File(s) found in Windows directory ---------------------------------- adsldpbf.dll alt.exe File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! AFTER RUNNING WIN32DELFKIL ********************** File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! AFTER RUNNING WIN32DELFKIL ********************** File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! AFTER RUNNING WIN32DELFKIL ********************** File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! AFTER RUNNING WIN32DELFKIL ********************** File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present! AFTER RUNNING WIN32DELFKIL ************************ File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present!

« Next Oldest · HELP! Think you are Infected? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: