Help - Search - Members - Calendar
Full Version: spayware
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
asus
Jun 28 2006, 05:22 PM
Just turned my comp On and there it was...desktop all red...somthing telling me to pay 49.95 to kill the spyware... OMG.gif


Logfile of HijackThis v1.99.1
Scan saved at 19:19:48, on 28.6.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
D:\Programs\HDD Temperature\HDDTSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\{ADA40624-90A8-4697-A52B-69A20E9670F8}.exe
C:\WINDOWS\system32\wuauclt.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R3 - URLSearchHook: (no name) - {45DE991E-25CA-4E7B-3FF4-D572C53B8F7D} - WinInitDll.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{A0F0AEB2-7064-4719-8646-0BDBEE681C71}.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{A0F0AEB2-7064-4719-8646-0BDBEE681C71}.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ogjqy.exe] C:\WINDOWS\system32\ogjqy.exe
O4 - HKLM\..\Run: [AppMasterCenter] scanSYS.exe
O4 - HKLM\..\Run: [Preliminary] newbreed.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [SAPSTR] trycrt.exe
O4 - HKCU\..\Run: [Serviceprocess] XTermInit.exe
O4 - HKCU\..\Run: [pizda] Bogobot.exe
O4 - Startup: HDD temperature.lnk = D:\Programs\HDD Temperature\HDDTemperature.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: PinCableViewer.lnk = C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B905CD4-E04E-4494-B8B3-503363887E95}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4C4713-D465-410C-A588-6B8A0F53327B}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D9A75B-0A0E-44C4-A553-7FCCA5EE00BA}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E880BCEB-E0B3-4CFD-8355-3ACF293C6EEF}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - D:\Programs\HDD Temperature\HDDTSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LoPhatPhuud
Jun 28 2006, 08:54 PM
First:
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt)


Second:
Use Add/Remove Programs to uninstall KIlland Clean. This program is on the Rogue AntiSpyware list here: http://www.spywarewarrior.com/rogue_anti-spyware.htm


Third:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items mark for deletion, do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R3 - URLSearchHook: (no name) - {45DE991E-25CA-4E7B-3FF4-D572C53B8F7D} - WinInitDll.dll (file missing)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{A0F0AEB2-7064-4719-8646-0BDBEE681C71}.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{A0F0AEB2-7064-4719-8646-0BDBEE681C71}.dll

O4 - HKLM\..\Run: [ogjqy.exe] C:\WINDOWS\system32\ogjqy.exe
O4 - HKLM\..\Run: [AppMasterCenter] scanSYS.exe
O4 - HKLM\..\Run: [Preliminary] newbreed.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [SAPSTR] trycrt.exe
O4 - HKCU\..\Run: [Serviceprocess] XTermInit.exe
O4 - HKCU\..\Run: [pizda] Bogobot.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B905CD4-E04E-4494-B8B3-503363887E95}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4C4713-D465-410C-A588-6B8A0F53327B}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D9A75B-0A0E-44C4-A553-7FCCA5EE00BA}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E880BCEB-E0B3-4CFD-8355-3ACF293C6EEF}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81

Close all windows except HijackThis and click Fix checked.


While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\system32\ogjqy.exe
scanSYS.exe
newbreed.exe
trycrt.exe
XTermInit.exe
Bogobot.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Last:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them. The program will take longer to run, but wil lgive us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see.
asus
Jun 28 2006, 10:26 PM
Didn't work, ti's still here, all over the desktop :boh:
It's like it keeps changing .exe file names uhm.gif

Ok, here are the logs you asked, thanx a lot.

Logfile of HijackThis v1.99.1
Scan saved at 0:18:43, on 29.6.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Programs\HDD Temperature\HDDTSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
D:\hjt\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SpybotSD\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [jwjob.exe] C:\WINDOWS\system32\jwjob.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDD temperature.lnk = D:\Programs\HDD Temperature\HDDTemperature.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: PinCableViewer.lnk = C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B905CD4-E04E-4494-B8B3-503363887E95}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4C4713-D465-410C-A588-6B8A0F53327B}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D9A75B-0A0E-44C4-A553-7FCCA5EE00BA}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E880BCEB-E0B3-4CFD-8355-3ACF293C6EEF}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - D:\Programs\HDD Temperature\HDDTSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

____________________________________________________________________________________________


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}046173EE6E3C-45C8-A044-1236-40588BDE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22A033DDC59D-5C4A-4174-FD33-912C54E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE34C6CC1B1E-37EB-AD94-69EA-3F57BB53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB6EACAF6059-A87B-A5A4-101E-D082F1AB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}943E717535F9-5AB9-AF24-7ADC-486844C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}944AB4F0D0CD-416A-1604-9658-4B32E94F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE8DD10A2B9C-B29A-52E4-09E3-F9581363{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C07BE1C46292-37DB-9D14-97B2-75197AE3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99EB271B1587-C73B-6CD4-66A1-2FFF21EA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0F5A46AF77E0-E33A-E234-2782-D67867BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD401AD61D11-34D9-5BC4-2E16-ECE335A1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C8893E413210-8078-48D4-47E2-057C815E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C2F6EA4B428A-AA7B-2AE4-E698-56DF1431{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9EC84640C501-5AC8-4474-50E6-8755A984{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77B1A57DA93C-8E09-31E4-0292-B82C96C2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9544CBE1C59-ED5A-CE54-0388-457F51E8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A2C064ED99A-833A-EAE4-0FFF-6277B690{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}344EDFDEA7E3-9098-8EF4-D75D-8F378752{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93DE19DA3952-AC48-A3B4-F4BD-08E9C18E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D8951D310BE6-4889-A484-1940-0529CFBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC28B53AE6C3-DA9A-9804-2BE3-CB692532{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}302C5A4DF8B2-435A-34D4-62E7-EC28D602{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEECB7A7D587-C498-4534-2178-B220E120{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\yvzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA113652A7ED-ACBA-35E4-E12F-6D3BF7B7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5084D5662719-A7C8-C324-D299-C4EBD4FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}84A37A6172C0-2DEA-32D4-90DE-C87CC552{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D772189B213A-67FA-BDB4-5EBE-91C4D7AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4CB35365F5B-EC8B-BA44-1B43-B535640C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0DAC5BCF6A67-CBCA-F3E4-277F-B0190840{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzvy.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSPNR.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSPNR.EXE 51,230 2006-06-27
C:\WINDOWS\SYSTEM32\DMFUI.EXE 44,112 2004-08-04

_________________________________________________________________________________________


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Zone Labs Client" = ""D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"zmxox.exe" = "C:\WINDOWS\system32\zmxox.exe" [null data]
"(Default)" = """ = (data in unrecognized format!)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programs\SpybotSD\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"
-> {HKLM...CLSID} = "GMail Drive"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"
-> {HKLM...CLSID} = "GMailFS Property Sheet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"
-> {HKLM...CLSID} = "GMailFS Drop Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"
-> {HKLM...CLSID} = "GMailFS Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "Security"
"Source" = "C:\WINDOWS\desktop.html"
"SubscribedURL" = "C:\WINDOWS\desktop.html"
______________________________________________________________________________________________


I didn't missed anything in HJT to fix, but it came back aftre reboot (those 017 items). And the files I needed to delete:
C:\WINDOWS\system32\ogjqy.exe
scanSYS.exe
newbreed.exe
trycrt.exe
XTermInit.exe
Bogobot.exe
Could't find any of them :(


I even downloaded Ewido... did find some spyware...deleted...but all's the same, as you can see.

Thanx again
asus
Jun 28 2006, 10:46 PM
Ok, I found something on SWI forum and it worked:

Start, Control Panel, Display. Click on the Desktop tab, then click on the Customize Desktop button. In the Desktop Items window click on the Web tab. Uncheck and then delete all entries under Web pages. Click on OK to close the windows.

Now I have normal desktop, but I don't know if it fixes my problem? Mybe it's still there crying.gif

The 017 items are always getting back, and I see an item that hasn't been there before:
O4 - HKLM\..\Run: [jwjob.exe] C:\WINDOWS\system32\jwjob.exe

No idea :boh:
LoPhatPhuud
Jun 28 2006, 11:07 PM
OK, now let's try to claenup the rest of the problems.

First:
Download KILLBOX, extract it to your desktop.

Open killbox.exe.

Check the following boxes:
Delete on Reboot


Highlight all the entries in the quote box below and then Copy them.
QUOTE
C:\WINDOWS\system32\jwjob.exe
C:\WINDOWS\system32\zmxox.exe
C:\WINDOWS\System32\CSPNR.EXE
C:\WINDOWS\SYSTEM32\DMFUI.EXE

]Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot


Second:
Launch Notepad, and copy/paste in the box below to a new text file.
Save it on your Desktop as fixme.reg

CODE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zmxox.exe" = -
"jwjob.exe" = -

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = -
"Source" = -
"SubscribedURL" = -

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Delete the following file:
C:\WINDOWS\desktop.html


Last:
Check the following items in HijackThis.

O17 - HKLM\System\CCS\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B905CD4-E04E-4494-B8B3-503363887E95}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4C4713-D465-410C-A588-6B8A0F53327B}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D9A75B-0A0E-44C4-A553-7FCCA5EE00BA}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{E880BCEB-E0B3-4CFD-8355-3ACF293C6EEF}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E309A87-C9E9-4A75-A27D-A6DB8B26F9C5}: NameServer = 85.255.114.76,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81

Close all windows except HijackThis and click Fix checked.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.
LoPhatPhuud
Jun 28 2006, 11:09 PM
Just quick question:
What was the name of the program it wanted you to buy??


(to remove the junk it installed!)
asus
Jun 29 2006, 07:25 PM
Thanx again, it now looks all is ok. Didn't answer you right last night cause I couldn't get to the forum.

The name of the program that was metioned on the desktop...I beleve it was RAZE SPYWARE. I'm not shore any more, but it was RAZe...something...SPYWARE I think.

While it was on the desktop I couldn't scan with Panda (on line) or any online scanners, or with AdAware, or SpyB.S&D...nothing...cause, as soon scan reached the registry it would freeze everything...CPU usage was 100%! So I couldn't do anything really. The I downloaded Ewido...and it found TROJAN PAKES, after that I was able to open Firefox. Till then I was surfing through IE, that in favourities had some porn sites. I deleted that too.
Would it be a good idea to clean with CCleaner now, and turn off/on Sys.Restore?

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:18:19, on 29.6.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Programs\HDD Temperature\HDDTSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hum\Desktop\HDDTemperature.exe
D:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SpybotSD\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDD temperature.lnk = C:\Documents and Settings\Hum\Desktop\HDDTemperature.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: PinCableViewer.lnk = C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - D:\Programs\HDD Temperature\HDDTSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



p.s. AdAware founded 14 tracking coookies, and Ewodo deleted some spyware too.
LoPhatPhuud
Jun 30 2006, 02:23 AM
That looks real good.

Whenever you get those ads for spyware programs, check it out here: http://www.spywarewarrior.com/rogue_anti-spyware.htm



Now, unless there are still issues not reflected in your log(s), your system is clean and we are finished. Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. This includes SP1 and SP2 if you use Windows XP. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://windowsupdate.microsoft.com/

If you have Word, Excel, Outlook or other Office programs installed. Consider using Microsoft Update instead of Windows Update. See the FAQ page here for more information: http://update.microsoft.com/microsoftupdat...t.aspx?ln=en-us

Also, download and install Microsoft Baseline Analyzer.(Note that MBSA is only for Win 2000 SP3 or later and Office XP or later) When run, it will check system for security exposures, including missing updates. I suggest running it weekly. You can obtain more information here: http://www.microsoft.com/technet/security/...s/mbsahome.mspx


2. Check your Java Runtime version. (Current=1.5.0_07-b03, aka Version 5.0, Update 7)
You can check the current version of the Java Runtime Modules installed by opening the Java Control Panel and selecting 'About' from the 'General' tab.
The current version can be downloaded from Sun here: http://www.java.com/j2se/1.5.0/download.jsp

Note: Be sure to remove all prior versions using Add/Remove Programs before you install the new one. Remember to reboot after removal.

3. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download signed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

For Windows XP2 SP2 users, check this link for additional steps you can take to secure Internet Explorer: http://www.microsoft.com/technet/security/...xp/iesecxp.mspx
Also,for Sp2 SP2 and IE users, in IE, Tools -> Manage Add-ons will give you a list of all BHO's, Extensions, and ActiveX modules installed on your computer. You can update, enable or disable them.

4. Download and install the following free programs
a. SpywareBlaster (ActiveX protection): http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad (Malicious Site protection): http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD
You may want to consider also installing ZonedOut (http://www.funkytoad.com/zonedout.htm) to handle the Restricted Site List.
c. Hoster (HOSTS file manager): http://www.funkytoad.com/hoster.htm

5. Install Spyware Detection and Removal Programs:
You may also want to consider installing one (or more) of the following:
a. Windows Defender: http://www.microsoft.com/athome/security/s...re/default.mspx
NOTE: Windows Defender only runs on Windows 2000, XP, Vista, and 2003.
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware Personal: http://www.lavasoft.de/

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend a combination of Microsoft Spyware and TeaTimer from Spybot S&D.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

6. Install A Toolbar to Detect Phishes
Phishing is prevalent and on the rise. Make sure the site you go to is real. Your ISP may offer a toolbar to warn you of fake sites or you can choose one of the following
a. Spoofstick Toolbar
b. Netcraft Toolbar

7. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

8. Clean Temporary Files and Folders
Download and install the disk cleanup utility called Cleanup! from here:
http://cleanup.stevengould.org/

Cleanup! will get rid of any malware which may be hiding in your temp folders (a common hiding place). You may also regain a massive amount of disk space.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/forums/tutorial93.html

Run the disk cleanup utility called Cleanup! that you have already downloaded and installed
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Then reboot into normal mode to let it clean out the remaining files.

9. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

10. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

11. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.
asus
Jul 3 2006, 07:53 PM
Hello again.
After the cleanup before, I still had problems... 1. computer was running really slow... 2. CPU usage 100%...
Didn't whant to boder you again, when you sad the log was clean. BUT... problems were still there. So, I tried to do something by myself. Had Zone Alarm, so I thought it was causing CPU 100% all the time (vsmon.exe bug); I uninstaled Zone Alarm and instaled Kapersky firewall instead... and then tried to scan with AdAware...it would stoped after few seconds, it would froze the system... I tried on-line scanners (Panda)...also frozen system... I tried registry scan...frozen system...nothing did work. Ewido did mange to get through...scan finished...founded several traces of spyware, adware, trojans...a lot of trojans, lik: Trojan.SMALL, DOWNLOADER.SMALL, Trojan.FAKEALERT, Trojan.PAKES... it did delete all of those, so I reseted System Restore...did a Cleanup and then set it ON again... computer did start to behave rather normally...but I did a scan again...and then the Trojans were there again! deleted them ... back again... and again... I did TrendMicro on line scan...deleted some things too... Then reset, and now Ewido again...and Trojans are backl again OMG.gif

Don't know what to do anymore really crying.gif


Ewido reports:

1. report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:18:22 AM 7/3/2006

+ Scan result:



C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015848.exe -> Adware.-- Look for another playground -- : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{021E022B-8712-4354-894C-785D7A7BCEEB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0480910B-F772-4E3F-ACBC-76A6FCB5CAD0}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{096B7726-FFF0-4EAE-A338-A99DE460C2A4}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1A533ECE-61E2-4CB5-9D43-11D16DA104DC}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{206D82CE-7E26-4D43-A534-2B8FD4A5C203}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{235296BC-3EB2-4089-A9AD-3C6EA35B82CC}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{255CC78C-ED09-4D23-AED2-0C2716A73A48}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{257873F8-D57D-4FE8-8909-3E7AEDFDE443}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{2C69C28B-2920-4E13-90E8-C39AD75A1B77}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{35BB75F3-AE96-49DA-BE73-E1B1CC6C43EB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3631859F-3E90-4E25-A92B-C9B2A01DD8EF}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3EA79157-2B79-41D9-BD73-29264C1EB70C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{489A5578-6E05-4744-8CA5-105C04648CE9}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{7B7FB3D6-F21E-4E53-ABCA-DE7A256311AB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8E15F754-8830-45EC-A5DE-95C1EBC4459D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{ABFC9250-0491-484A-9884-6EB013D1598D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{AE12FFF2-1A66-4DC6-B37C-7851B172BE99}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{C046535B-34B1-44AB-B8CE-B5F56353BC4C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{DB76876D-2872-432E-A33E-0E77FA64A5F0}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{DF4DBE4C-992D-423C-8C7A-9172665D4805}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E518C750-2E74-4D84-8708-012314E3988C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E81C9E80-DB4F-4B3A-84CA-2593AD91ED39}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{FA7D4C19-EBE5-4BDB-AF76-A312B981277D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012600.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
D:\PROGRAMI\Programi\Sve za Divx\DivX Repair 1.0.6\repair-1.0.6.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017908.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015846.exe -> Adware.Raze : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015847.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
D:\hjt\backups\backup-20060628-201026-179.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015845.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.40:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.50:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.51:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.52:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.53:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.31:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.33:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.36:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.37:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.69:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.70:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.74:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.75:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.18:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.19:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.20:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.113:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.114:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.115:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.108:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.109:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.110:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.111:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.112:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.120:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.105:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.106:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.107:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0016852.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0016853.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1341FD65-896E-4EA2-B7AA-A824B4AE6F2C}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017872.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017926.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017944.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017956.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017969.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018097.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018129.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018182.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018205.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018220.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018263.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018276.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018286.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018298.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018310.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0019310.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0019334.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0020334.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0021334.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0021401.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012795.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012821.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0013821.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0013836.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0014836.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015844.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmfui.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3E45C219-33DF-4714-A4C5-D95CDD330A22}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end



2. report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:33:54 PM 7/3/2006

+ Scan result:



C:\WINDOWS\system32\{009AD4BF-FBCC-4BB2-8EC1-3B9BE233251B}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{21402490-239B-40C9-9D02-4B4F389AED9A}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{3F869366-57CC-4501-9ABA-BB26C07C55BD}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{4055CEE9-8E8D-418D-BAA4-24623C5883BB}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{5FA03C70-7AF0-4082-B084-318BA0EF1DF3}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{67A670C2-91B3-47EF-A936-6B0B51A3F985}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{8C1BA9A9-0F11-4ADE-8365-90BA97A3682B}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{90EE7FF3-B90F-46A8-9471-F6D212548D58}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{A4278C10-94B3-42D9-8143-A7870F3F0D5A}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{A79A5BB3-3B28-44AC-AF86-4FD5BFE0D04C}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{AFE9CF8C-8387-4FCB-9DF7-A797F55F0922}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{C6CC1F3F-C146-4A01-9C12-C988372ACB0E}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{DAE733EB-1A91-4B4B-A062-F54852B6FE12}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{F389AB47-F479-443F-B8CA-8A3B42AD241F}.exe -> Adware.FindSpy : Cleaned.
C:\WINDOWS\system32\{61B813FE-D24C-43C9-9DCF-F83FED6AB9B7}.exe -> Adware.Msnagent : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000005.exe -> Trojan.Pakes : Cleaned.
[1348] VM_00B40000 -> Trojan.Pakes : Error during cleaning.
C:\WINDOWS\system32\{F8216C14-2545-49C3-B0AD-8526AE75FC39}.exe -> Trojan.Small.gq : Cleaned.


::Report end



3. report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:17:28 AM 7/3/2006

+ Scan result:



C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015848.exe -> Adware.-- Look for another playground -- : No action taken.
C:\WINDOWS\system32\{021E022B-8712-4354-894C-785D7A7BCEEB}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{0480910B-F772-4E3F-ACBC-76A6FCB5CAD0}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{096B7726-FFF0-4EAE-A338-A99DE460C2A4}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{1A533ECE-61E2-4CB5-9D43-11D16DA104DC}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{206D82CE-7E26-4D43-A534-2B8FD4A5C203}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{235296BC-3EB2-4089-A9AD-3C6EA35B82CC}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{255CC78C-ED09-4D23-AED2-0C2716A73A48}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{257873F8-D57D-4FE8-8909-3E7AEDFDE443}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{2C69C28B-2920-4E13-90E8-C39AD75A1B77}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{35BB75F3-AE96-49DA-BE73-E1B1CC6C43EB}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{3631859F-3E90-4E25-A92B-C9B2A01DD8EF}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{3EA79157-2B79-41D9-BD73-29264C1EB70C}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{489A5578-6E05-4744-8CA5-105C04648CE9}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{7B7FB3D6-F21E-4E53-ABCA-DE7A256311AB}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{8E15F754-8830-45EC-A5DE-95C1EBC4459D}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{ABFC9250-0491-484A-9884-6EB013D1598D}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{AE12FFF2-1A66-4DC6-B37C-7851B172BE99}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{C046535B-34B1-44AB-B8CE-B5F56353BC4C}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{DB76876D-2872-432E-A33E-0E77FA64A5F0}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{DF4DBE4C-992D-423C-8C7A-9172665D4805}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{E518C750-2E74-4D84-8708-012314E3988C}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{E81C9E80-DB4F-4B3A-84CA-2593AD91ED39}.exe -> Adware.FindSpy : No action taken.
C:\WINDOWS\system32\{FA7D4C19-EBE5-4BDB-AF76-A312B981277D}.exe -> Adware.FindSpy : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012600.exe -> Adware.MediaBack : No action taken.
D:\PROGRAMI\Programi\Sve za Divx\DivX Repair 1.0.6\repair-1.0.6.exe -> Adware.MediaBack : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017908.exe -> Adware.Msnagent : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015846.exe -> Adware.Raze : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015847.dll -> Adware.SBSoft : No action taken.
D:\hjt\backups\backup-20060628-201026-179.dll -> Adware.SBSoft : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015845.exe -> Downloader.Small.buy : No action taken.
:mozilla.93:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.47:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.40:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.50:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.51:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.52:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.53:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.31:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.33:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.36:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.37:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.69:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.70:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.74:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.75:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.18:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.19:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.20:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.113:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.114:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.115:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.108:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.109:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.110:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.111:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.112:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.120:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.48:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.105:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.106:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.107:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0016852.exe -> Trojan.Fakealert : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0016853.exe -> Trojan.Fakealert : No action taken.
C:\WINDOWS\system32\{1341FD65-896E-4EA2-B7AA-A824B4AE6F2C}.exe -> Trojan.Hoster : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017872.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017926.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017944.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017956.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0017969.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018097.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018129.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018182.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018205.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018220.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018263.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018276.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018286.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018298.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0018310.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0019310.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0019334.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0020334.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0021334.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP75\A0021401.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012795.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0012821.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0013821.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0013836.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0014836.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP74\A0015844.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\dmfui.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\{3E45C219-33DF-4714-A4C5-D95CDD330A22}.exe -> Trojan.Small.gq : No action taken.


::Report end

4. report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:49:35 PM 7/3/2006

+ Scan result:



C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000017.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000018.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000019.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000020.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000021.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000022.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000023.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000024.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000025.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000026.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000027.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000028.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000029.exe -> Adware.FindSpy : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000030.exe -> Adware.FindSpy : Cleaned.
[1460] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning.
[1540] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning.
[1548] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning.
[1572] VM_00920000 -> Downloader.Agent.uj : Error during cleaning.
[1584] VM_00B00000 -> Downloader.Agent.uj : Error during cleaning.
[1680] VM_00AD0000 -> Downloader.Agent.uj : Error during cleaning.
[548] VM_00DD0000 -> Downloader.Agent.uj : Error during cleaning.
[572] VM_00A70000 -> Downloader.Agent.uj : Error during cleaning.
:mozilla.16:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000036.exe -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0001036.exe -> Trojan.Pakes : Cleaned.
C:\WINDOWS\system32\{5C448684-CDA7-42FA-9BA5-9F535717E349}.exe -> Trojan.Puper.bx : Cleaned.
C:\WINDOWS\system32\{67F65C13-3EA1-4140-92CE-44A065FECCB1}.exe -> Trojan.Puper.bx : Cleaned.
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0000016.exe -> Trojan.Small.gq : Cleaned.


::Report end



I included all 4 reports so you can see that the trojans are getting back, and they are in Sys, restore :boh:

_______________________________________________________________________________________

I'll include a HJT log as well:


Logfile of HijackThis v1.99.1
Scan saved at 9:52:51 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Programs\kerio_firewall\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
D:\Programs\kerio_firewall\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
D:\Programs\kerio_firewall\Personal Firewall\kpf4gui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\hjt\HijackThis.exe
D:\Programs\kerio_firewall\Personal Firewall\assist.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SpybotSD\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmorw.exe] C:\WINDOWS\system32\dmorw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: PinCableViewer.lnk = C:\Program Files\Pincom\PinCableViewer\PinCableViewer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Programs\kerio_firewall\Personal Firewall\kpf4ss.exe



Any Ideas?
LoPhatPhuud
Jul 3 2006, 10:09 PM
I can only go by what the logs show and comments you make. Since there was nothing to the contrary, I assumed you were clean. By all means, please post back if not clean!!

You can resolve the hits in the System Restore area by resetting it, although until your computer is clean, I would not recommend it.


The trojan may be a rootkit so that is our next step. I will also do some checking to see if I can get any iformation on the bug you have...

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
LoPhatPhuud
Jul 3 2006, 10:17 PM
YOu may also want to try a trojan specific program.

A2 (A Squared) can remove this one and they have a free version. Instrucitons for its use are on this web page, along with links to download:

http://www.emsisoft.com/en/software/free/
asus
Jul 3 2006, 10:56 PM
RootkitRevealer log:

C:\Documents and Settings\Hum\Desktop\a2freesetup.exe 4.7.2006 0:45 3.33 MB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\04E7C341d01 4.7.2006 0:42 16.13 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\4657F77Bd01 4.7.2006 0:48 35.30 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\4677851Bd01 4.7.2006 0:45 34.18 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\55AA5141d01 4.7.2006 0:45 3.33 MB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\57452483d01 4.7.2006 0:48 23.78 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\7809A523d01 4.7.2006 0:42 19.74 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\827C2678d01 4.7.2006 0:42 59.87 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\88D8ECC1d01 4.7.2006 0:45 20.47 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\9436F01Dd01 4.7.2006 0:45 17.53 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\A05B086Fd01 4.7.2006 0:48 31.82 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\A136108Ed01 4.7.2006 0:45 16.07 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\D842CC01d01 4.7.2006 0:45 69.21 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\F6FA738Bd01 4.7.2006 0:45 18.78 KB Hidden from Windows API.
C:\Documents and Settings\Hum\Local Settings\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\Cache\F979C9B1d01 4.7.2006 0:45 16.68 KB Hidden from Windows API.

Will try a2 now. thanx.
asus
Jul 4 2006, 06:59 PM
A2 did find some things and deleted it, but after that I scanned with Ewido, and again Trojans crying.gif

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:27:23 AM 7/4/2006

+ Scan result:



[1540] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning.
[1548] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning.
[1572] VM_00920000 -> Downloader.Agent.uj : Error during cleaning.
[1584] VM_00B00000 -> Downloader.Agent.uj : Error during cleaning.
[1680] VM_00AD0000 -> Downloader.Agent.uj : Error during cleaning.
[2776] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning.
[548] VM_00DD0000 -> Downloader.Agent.uj : Error during cleaning.
[572] VM_00A70000 -> Downloader.Agent.uj : Error during cleaning.
:mozilla.51:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.63:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.29:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.52:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.30:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.31:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.32:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.50:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.24:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.25:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.26:C:\Documents and Settings\Hum\Application Data\Mozilla\Firefox\Profiles\6vr16ioq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\dmorw.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0001043.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{703B89D9-35CB-46F9-BC5C-340B0496462F}\RP1\A0001044.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).


::Report end
LoPhatPhuud
Jul 4 2006, 10:33 PM
Ewdio only removed tracking cookies and the junk from the System Restore area. Time to reset it!

First:
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857



Second:
Download: Clear the Cache (freeware) http://www.ccleaner.com/ Once installed, run CCleaner click the Windows [tab] Select the following options: (not all are available for Win98/ME)
Next: click Options click Advanced
Uncheck: "Only delete files older than 48 hrs", click Ok Then click Run Cleaner (bottom right) then Exit

CCleaner should be run with the above settings for each user!



Third:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them. The program will take longer to run, but wil lgive us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see.


Last:
Run HiJackTHis and post a new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.