Jump to content
Sign in to follow this  
plowdriver01

[Solved]Need some serious help before it is lost

Recommended Posts

Hi,

Someone please help,I believe I have various spyware on my computer and it seems to be getting worse.

I have spybot,adaware,microsoft anti spyware, and firewall,spysubtract and They will find it and clean it but it just keeps coming right back.

Please help SOON. ThanksLogfile of HijackThis v1.99.1

Scan saved at 6:37:54 AM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\ZoneLabs\isafe.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\SOINTGR.EXE

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\documents and settings\denise kozer\desktop\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TrojanHunter 4.2\THGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

c:\windows\system32\fhbmpas.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\InterMute\SpySubtract\SpySub.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKLM\..\Run: [taqqpmo] c:\windows\system32\fhbmpas.exe r

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

Hi plowdriver01!

 

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

 

Please download Nailfix from here:

http://www.noidea.us/easyfile/file.php?dow...050515010747824

Extract the files to a folder of their own on the desktop but please do NOT run it yet. The files must be in a folder of their own!!

 

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

 

Once in safe mode, open the folder containing naifix and double click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

 

Then please run Ewido, and run a full scan. Save the logfile from the scan.

 

Scan again with HijackThis and place a check next to the following entries if present. Close ALL other windows and click fix.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O4 - HKLM\..\Run: [taqqpmo] c:\windows\system32\fhbmpas.exe r

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

 

Delete the following file in bold if present.

C:\WINDOWS\System32\fhbmpas.exe

 

Open C:\Temp if present, select all and delete.

Open C:\Windows\Temp, select all and delete.

Open C:\Windows\Prefetch, select all and delete.

Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

 

If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

 

Please post a new HijackThis log, as well as the log from the Ewido scan.

 

Did you knowingly install CrazyTalk?

Share this post


Link to post
Share on other sites

Here is the HJT LOG

 

Logfile of HijackThis v1.99.1

Scan saved at 6:24:54 PM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

AND THE EWIDO LOG

 

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 6:16:39 PM, 6/12/2005

+ Report-Checksum: 3F31EFE

 

+ Date of database: 6/12/2005

+ Version of scan engine: v3.0

 

+ Duration: 138 min

+ Scanned Files: 162739

+ Speed: 19.55 Files/Second

+ Infected files: 120

+ Removed files: 61

+ Files put in quarantine: 61

+ Files that could not be opened: 0

+ Files that could not be cleaned: 59

 

+ Binder: Yes

+ Crypter: Yes

+ Archives: Yes

 

+ Scanned items:

C:\

C:\

 

+ Scan result:

C:\WINDOWS\system32\mkxxhb.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup

C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup

C:\WINDOWS\Nail.exe.tcf -> Trojan.Nail -> Cleaned with backup

C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup

C:\WINDOWS\ducmrchhylx.exe.tcf -> Spyware.BetterInternet -> Cleaned with backup

C:\WINDOWS\Nail.exe8968.tcf -> Trojan.Nail -> Cleaned with backup

C:\WINDOWS\Nail.exe9771.tcf -> Trojan.Nail -> Cleaned with backup

C:\WINDOWS\Nail.exe6487.tcf -> Trojan.Nail -> Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\system@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\system@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@a.tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@www.affiliatefuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Guest\Cookies\guest@bannerspace[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\F671BF89-5918-439B-A2ED-AF5883\E4B17180-9CC0-4049-A96F-965AFB -> Trojan.Agent.db -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\F671BF89-5918-439B-A2ED-AF5883\8F47872A-B923-46A5-844D-8583BA -> Trojan.Agent.db -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\C341CB37-CF89-4347-9D20-1A46AA -> Trojan.Stervis.c -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\C640D1BE-D6D9-4829-826C-28CAD1 -> Trojan.Stervis.c -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\D504460E-E6A3-4390-B3E6-679184 -> Trojan.Stervis.c -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\841CB9D1-ECEA-4ABB-9D57-A5500E\485B0AB6-F20C-4FAF-9D24-852D88 -> Trojan.Agent.db -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\841CB9D1-ECEA-4ABB-9D57-A5500E\00FDAE5C-17C7-43E9-820D-BEDECC -> Trojan.Agent.db -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\6F05C7FF-B550-4382-BA45-416082\BF34D852-9453-4D46-960F-6761D9 -> Trojan.Stervis.c -> Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\6F05C7FF-B550-4382-BA45-416082\B72D9550-29B9-4EB2-B63C-4B7F62 -> Trojan.Stervis.c -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP1\A0000003.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP1\A0000004.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000016.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000018.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000019.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000022.exe.tcf -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000023.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000024.exe.tcf -> Trojan.Stervis.c -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000025.dll.tcf -> Trojan.Agent.db -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000042.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000046.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000055.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000069.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000074.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000089.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000093.dll -> Trojan.Agent.db -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000094.exe -> Trojan.Stervis.c -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000100.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000106.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\WINDOWS\system32\mkxxhb.exe -> Spyware.BetterInternet -> Error during cleaning

C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Error during cleaning

C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Error during cleaning

C:\WINDOWS\Nail.exe.tcf -> Trojan.Nail -> Error during cleaning

C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup

C:\WINDOWS\ducmrchhylx.exe.tcf -> Spyware.BetterInternet -> Error during cleaning

C:\WINDOWS\Nail.exe8968.tcf -> Trojan.Nail -> Error during cleaning

C:\WINDOWS\Nail.exe9771.tcf -> Trojan.Nail -> Error during cleaning

C:\WINDOWS\Nail.exe6487.tcf -> Trojan.Nail -> Error during cleaning

C:\Documents and Settings\LocalService\Cookies\system@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\LocalService\Cookies\system@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@zedo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@a.tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@fastclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@realmedia[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@valueclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@advertising[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@www.affiliatefuel[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@search.msn[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Guest\Cookies\guest@bannerspace[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\F671BF89-5918-439B-A2ED-AF5883\E4B17180-9CC0-4049-A96F-965AFB -> Trojan.Agent.db -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\F671BF89-5918-439B-A2ED-AF5883\8F47872A-B923-46A5-844D-8583BA -> Trojan.Agent.db -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\C341CB37-CF89-4347-9D20-1A46AA -> Trojan.Stervis.c -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\C640D1BE-D6D9-4829-826C-28CAD1 -> Trojan.Stervis.c -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\9837481E-5BC0-4971-AD10-030205\D504460E-E6A3-4390-B3E6-679184 -> Trojan.Stervis.c -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\841CB9D1-ECEA-4ABB-9D57-A5500E\485B0AB6-F20C-4FAF-9D24-852D88 -> Trojan.Agent.db -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\841CB9D1-ECEA-4ABB-9D57-A5500E\00FDAE5C-17C7-43E9-820D-BEDECC -> Trojan.Agent.db -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\6F05C7FF-B550-4382-BA45-416082\BF34D852-9453-4D46-960F-6761D9 -> Trojan.Stervis.c -> Error during cleaning

C:\Program Files\Microsoft AntiSpyware\Quarantine\6F05C7FF-B550-4382-BA45-416082\B72D9550-29B9-4EB2-B63C-4B7F62 -> Trojan.Stervis.c -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP1\A0000003.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP1\A0000004.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000016.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000018.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000019.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000022.exe.tcf -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000023.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000024.exe.tcf -> Trojan.Stervis.c -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000025.dll.tcf -> Trojan.Agent.db -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000042.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000046.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000055.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000069.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP2\A0000074.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000089.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000093.dll -> Trojan.Agent.db -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000094.exe -> Trojan.Stervis.c -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000100.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000106.exe -> Spyware.BetterInternet -> Error during cleaning

 

 

::Report End

Share this post


Link to post
Share on other sites

Was that scan done in safe mode?

 

You will need to temporarily disable Microsoft AntiSpyware. Right click on the MSAS icon (looks like a target) and click on Security Agents Status (Enabled), then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

 

Uninstall CrazyTalk in Add/Remove if you don't use or want it. Then delete CrazyTalk.dll in C:\Windows\system32 and any other associated files/folders.

 

Scan again with HijackThis, check the following entries, close all other windows and click fix.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

 

Then click the config button, then misc tools. Click the Delete an NT Service button and type in SvcProc, then click OK. If successful, reboot and post a new HJT log. If the service cannot be deleted, reboot and try again.

Share this post


Link to post
Share on other sites

Deleted what you asked .

Some entries were not there.here is my log before deletion.

 

Logfile of HijackThis v1.99.1

Scan saved at 8:25:28 PM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZoneLabs\isafe.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\SOINTGR.EXE

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\documents and settings\denise kozer\desktop\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\lexpps.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

C:\Program Files\InterMute\SpySubtract\SpySub.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\wscntfy.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

Here is the log after.

I could not delete SvcProc.It said it was in use and must be disabled. What the heck is it?

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:50:37 PM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\ZoneLabs\isafe.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\SOINTGR.EXE

C:\documents and settings\denise kozer\desktop\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\InterMute\SpySubtract\SpySub.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\wscntfy.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

It is a rogue service put there by the infection. Click Start>run and type services.msc then hit enter. Locate System Startup Service in the list and double click the entry. Stop the service if running, then set it to Disabled, click apply and OK. Try using HJT to delete the service again.

Share this post


Link to post
Share on other sites

Ok,That time it worked.

Here is a new log.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:10:09 PM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\ZoneLabs\isafe.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\SOINTGR.EXE

C:\documents and settings\denise kozer\desktop\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\InterMute\SpySubtract\SpySub.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

Open HijackThis to the misc tools section Click 'Open Uninstall Manager', locate ABI in the list, highlight and click 'Delete this entry'.

 

 

Please scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Share this post


Link to post
Share on other sites

Ok, Here is your scan,

When I tried to do a report, it said there was an error on the page.

I copied and pasted.

 

Scan started at 6/12/2005 9:35:59 PM

 

Scanning memory...

Scanning boot sectors...

Scanning files...

C:\WINDOWS\system32\biU.exe - PWS:Win32/Bispy -> Infected

C:\WINDOWS\system32\biN.exe - PWS:Win32/Bispy -> Infected

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000108.dll - Trojan:Win32/Agent.CA -> Infected

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000109.exe - Trojan:Win32/Small.AZ -> Infected

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000110.exe->(ASPack 2.12) - Trojan:Win32/Agent.LO -> Infected

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000145.exe->(ASPack 2.12) - Trojan:Win32/Agent.LO -> Infected

 

Scanned

============================

Objects: 63919

Directories: 6915

Archives: 6315

Size(Kb): -635553

Infected files: 6

 

Found

============================

Viruses found: 4

Suspicious files: 0

Disinfected files: 0

Mail files: 368

Share this post


Link to post
Share on other sites

OK....I'll post some instructions later for you to work on tomorrow, and I'll check in tomorrow evening. Goodnight! :)

Share this post


Link to post
Share on other sites

Locate and delete this file. C:\WINDOWS\system32\biU.exe

 

Just as a double check, download FindIt's.zip to your desktop: Download Here

  • Create a new folder on your desktop
  • Unzip/extract the files inside that folder you created on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
  • Then post the results here.

Share this post


Link to post
Share on other sites

Hi,

Here is thelataest HJT LOG

 

 

logfile of HijackThis v1.99.1

Scan saved at 12:40:17 PM, on 6/13/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\ZoneLabs\isafe.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\SOINTGR.EXE

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\documents and settings\denise kozer\desktop\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\InterMute\SpySubtract\SpySub.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...353/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

Here is the Findit's log

 

 

Microsoft Windows XP [Version 5.1.2600]

The current date is: Mon 06/13/2005

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Dont delete file's in the section without guidance

If any doubt back them up first

 

* UPX! C:\WINDOWS\UNWASH.EXE

* UPX! C:\WINDOWS\TSC.EXE

 

»»»»» lagitamate file's can/will show in this section.

 

* UPX! C:\WINDOWS\VSAPI32.DLL

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

 

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

 

Volume in drive C has no label.

Volume Serial Number is 8080-0043

 

Directory of C:\WINDOWS\SYSTEM32

 

»»»»» Checking for SAHAgent ico files.

Volume in drive C has no label.

Volume Serial Number is 8080-0043

 

Directory of C:\WINDOWS\system32

 

04/23/2005 01:44 PM 3,262 vh e233.ico

04/23/2005 01:44 PM 4,286 mp3red51aads.ico

04/23/2005 01:44 PM 3,262 kill spyware1.ico

04/23/2005 01:44 PM 3,262 kill popups.ico

4 File(s) 14,072 bytes

0 Dir(s) 10,639,736,832 bytes free

 

»»»»»»»»»»»»»»»»»»»»»»»».

 

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst

HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp

HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S

HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S

HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S

HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S

HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd

HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd

HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd

HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode

HKEY_CURRENT_USER\Software\aurora\AUP3D5om

HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn

HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots

HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync

HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab

HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx

HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest

HKEY_CURRENT_USER\Software\aurora\AUB3D5om

HKEY_CURRENT_USER\Software\aurora\AUE3v5nt

HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath

HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf

HKEY_CURRENT_USER\Software\aurora\AUL3n5Title

HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode

HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl

HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS

HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst

HKEY_CURRENT_USER\Software\aurora\AUL3a5stMotsSDay

HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin

Share this post


Link to post
Share on other sites

Microsoft anti sptware found

abetterinternet.DrPmon in restore.

And abetterinternet.Aurora in restore

 

 

Also, here is another Ewido scan---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 4:05:13 PM, 6/13/2005

+ Report-Checksum: 6A681DB4

 

+ Date of database: 6/13/2005

+ Version of scan engine: v3.0

 

+ Duration: 177 min

+ Scanned Files: 162670

+ Speed: 15.24 Files/Second

+ Infected files: 28

+ Removed files: 14

+ Files put in quarantine: 14

+ Files that could not be opened: 0

+ Files that could not be cleaned: 14

 

+ Binder: Yes

+ Crypter: Yes

+ Archives: Yes

 

+ Scanned items:

C:\

C:\

 

+ Scan result:

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000108.dll -> Trojan.Agent.db -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000109.exe -> Trojan.Stervis.c -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000110.exe -> Trojan.Nail -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000112.exe -> Spyware.BetterInternet -> Cleaned with backup

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000145.exe -> Trojan.Nail -> Cleaned with backup

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Bob Kozer\Cookies\bob kozer@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\Documents and Settings\Denise Kozer\Cookies\denise kozer@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000108.dll -> Trojan.Agent.db -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000109.exe -> Trojan.Stervis.c -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000110.exe -> Trojan.Nail -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000112.exe -> Spyware.BetterInternet -> Error during cleaning

C:\System Volume Information\_restore{4FB61209-EAD1-424F-9C37-C5E5F5C24883}\RP3\A0000145.exe -> Trojan.Nail -> Error during cleaning

 

 

::Report End

Share this post


Link to post
Share on other sites

Mybe this will help also

 

 

 

---------------------------------------------------------

ewido security suite - Process report

---------------------------------------------------------

 

+ Created on: 4:08:52 PM, 6/13/2005

+ Report-Checksum: A26AFF85

 

0: System Process

4: System Process

236: C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

416: \SystemRoot\System32\smss.exe

484: \??\C:\WINDOWS\system32\csrss.exe

508: \??\C:\WINDOWS\system32\winlogon.exe

552: C:\WINDOWS\system32\services.exe

564: C:\WINDOWS\system32\lsass.exe

696: C:\Program Files\Internet Explorer\iexplore.exe

712: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

716: C:\WINDOWS\system32\svchost.exe

744: c:\program files\mcafee.com\agent\mcagent.exe

764: C:\WINDOWS\system32\svchost.exe

816: C:\documents and settings\denise kozer\desktop\qttask.exe

828: C:\WINDOWS\System32\svchost.exe

880: C:\WINDOWS\System32\svchost.exe

1000: C:\WINDOWS\System32\svchost.exe

1132: C:\WINDOWS\system32\LEXBCES.EXE

1192: C:\WINDOWS\system32\spoolsv.exe

1200: C:\WINDOWS\system32\LEXPPS.EXE

1348: C:\WINDOWS\system32\ZoneLabs\isafe.exe

1360: C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

1376: C:\Program Files\ewido\security suite\ewidoctrl.exe

1388: C:\Program Files\ewido\security suite\ewidoguard.exe

1456: c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

1472: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

1568: c:\progra~1\mcafee.com\vso\mcvsescn.exe

1584: C:\WINDOWS\Explorer.EXE

1592: C:\WINDOWS\System32\svchost.exe

1748: C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

1900: C:\WINDOWS\SOINTGR.EXE

1960: c:\PROGRA~1\mcafee.com\vso\mcshield.exe

2100: System Process

2120: C:\WINDOWS\system32\ctfmon.exe

2128: C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

2276: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

2400: C:\Program Files\ewido\security suite\SecuritySuite.exe

2488: C:\WINDOWS\system32\wscntfy.exe

2668: C:\Program Files\InterMute\SpySubtract\SpySub.exe

Share this post


Link to post
Share on other sites

And this

 

 

 

---------------------------------------------------------

ewido security suite - Startup report

---------------------------------------------------------

 

+ Created on: 4:10:01 PM, 6/13/2005

+ Report-Checksum: 7560DE5C

 

Reg\HKLM\Run VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

Reg\HKLM\Run VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

Reg\HKLM\Run SO5 Integrator Pass Two C:\WINDOWS\SOINTGR.EXE

Reg\HKLM\Run Lexmark X74-X75 "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

Reg\HKLM\Run MCUpdateExe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

Reg\HKLM\Run MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe

Reg\HKLM\Run QuickTime Task "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

Reg\HKLM\Run Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

Reg\HKLM\Run THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

Reg\HKCU\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

Reg\HKCU\Run PhotoShow Deluxe Media Manager C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

Shell\CommonStartup Adobe Reader Speed Launch.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

Shell\CommonStartup SpySubtract.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

Shell\UserStartup SpySubtract.lnk C:\Documents and Settings\Bob Kozer\Start Menu\Programs\Startup\SpySubtract.lnk

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...