SunQuest
           Antivirus Protection
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsSystem AdministrationAntivirus Protection
Reload this Page

IE hijacked?, won't start

Discuss IE hijacked?, won't start in the Antivirus Protection forum on Dev Shed.
IE hijacked?, won't start Antivirus Protection forum discussing issues relating to antivirus programs, spyware, hijack protection, and personal firewalls for all operating systems. Keep your systems protected from hackers and other hazards.

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Page 1 of 2 1 2 >
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
1200+ fellow developers rate and compare features of the top IDEs, like Visual Studio, Eclipse, RAD, Delphi and others, across 13 categories. Enjoy this FREE Download of the IDE User Satisfaction Study by Evans Data Corporation. Download Now!
  #1  
Old October 23rd, 2004, 09:14 AM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
IE hijacked?, won't start
Shortly after downloading from mirror.cs.wisc.edu/pub/mirrors/ghost I
discovered PageMaker7 online help doesn't work,
also failure to start IE from desktop icon or
shortcut, or from .exe file [no message
received], same with Favorites from Start
toolbar; starting HTMLs from WinExplorer or
shortcuts on desctop receives delayed message
'...cannot find [file]. make sure [...] is a
valid pathname...'. Access to the I-net is
however possible thru Windows
Explorer>view>explorerbar>history[or searchers],
Favorites and desktop shortcuts work then, but
still some programs, such as Photoshop7,
AdobeReader6, SpyBouncer, report failure to
connect to or update database from the I-net. I
reinstalled IE first by upgrading to the MS XP
SP2 version, with no improvment, then by setup
from CD, to same effect. AdAware and SpySweeper
removed several bugs with no change,
NortonAntivrus & F-Prot detect none, SpyDoctor
trial verson reports numerous problems, to be
fixed after purchase. HijackThis generated
log part 1 follows [part 2 in next thread, as attachment unmanagable]

Logfile of HijackThis v1.98.2
Scan saved at 14:18:31, on 23.10.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\realtime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

Hoping that my procedures hitherto, although not
the description, have saved some of your time, I
remain in wait of salvation
Reply With Quote
  #2  
Old October 23rd, 2004, 09:28 AM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
IE hijacked?, won't start 2 [help with HJThis log needed]
[follows part 2 of
Logfile of HijackThis v1.98.2
Scan saved at 14:18:31, on 23.10.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
part 1 in previous thread]:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.nbu.bg
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.nbu.bg
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (filesize 272983 bytes, MD5 B8E162E9B9A83849458F457EB84ED137)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (filesize 50376 bytes, MD5 0C0E1B2BCAED8DF401BE94D538BCB412)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (filesize 229376 bytes, MD5 B8D2EA737777A3313A3B6FA5251FDC72)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (filesize 192512 bytes, MD5 964621E8B2415FEAA99026ED4F29D198)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (filesize 65536 bytes, MD5 F2FAFE3CB6412C89F43D88CCEBE308F3)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (filesize 708608 bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (filesize 112248 bytes, MD5 988409CE6ED638AAFDBECFB6EC863F4F)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (filesize 86016 bytes, MD5 94D01CBA4FBB4EB408F02F549CA5D815)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (filesize 272983 bytes, MD5 B8E162E9B9A83849458F457EB84ED137)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (filesize 708608 bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O3 - Toolbar: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (filesize 112248 bytes, MD5 988409CE6ED638AAFDBECFB6EC863F4F)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [WService] WService.EXE (filesize 28672 bytes, MD5 05D196B51881100E93A92D777F6FC243)
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE (filesize 290816 bytes, MD5 BE4430D763E63FCE37EE254594133DFB)
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (filesize 753664 bytes, MD5 AA022DFA622C90C3060CA794914B11AA)
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" (filesize 278528 bytes, MD5 EEF02F205DAC244787C528647BFD0C27)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (filesize 155648 bytes, MD5 3E4C03CEFAD8DE135263236B61A49C90)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (filesize 155648 bytes, MD5 3E4C03CEFAD8DE135263236B61A49C90)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 98304 bytes, MD5 76A3A30B58405C2C6D833895253A51A9)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe (filesize 91648 bytes, MD5 1668411625E8994AB2973106981E89F9)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (filesize 54976 bytes, MD5 F2F3CF92C4D6CF2E019493BAF3DE0F5E)
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" (filesize 59072 bytes, MD5 3DC5F0E636BAA3CD6E0C97E03128963D)
O4 - HKLM\..\Run: [SpywareStopper] C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe (filesize 394752 bytes, MD5 E4C39A8FCAC8C34262B589B65A18AA5A)
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\liveupdate.exe 110 (filesize 110592 bytes, MD5 E41E4816D9B046C2C8177CAC60CD55A4)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (filesize 15360 bytes, MD5 24232996A38C0B0CF151C2140AE29FC8)
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe (filesize 95344 bytes, MD5 4D8B98507C15C217D749C8405BA39BD4)
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 (filesize 3058688 bytes, MD5 C27FD3ADDF6B6463EEF211E75B7B2B30)
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (filesize 360448 bytes, MD5 61C028ABA5E49573A6332F4A7C744E87)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)

[part 3 in next thread]
Reply With Quote
  #3  
Old October 23rd, 2004, 09:32 AM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
IE hijacked?, won't start 3 [help with HJThis log needed]
[part 3 of
Logfile of HijackThis v1.98.2
Scan saved at 14:18:31, on 23.10.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
parts 2&1 in previous threads]

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (filesize 69632 bytes, MD5 978294640062C57482BF2B65A342C266)
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm (filesize 591 bytes, MD5 F5405047DA612086AE3DC4CDBB046BDC)
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm (filesize 575 bytes, MD5 4F5140BEADB0A78CE30E9F0F4B591B8F)
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm (filesize 1898 bytes, MD5 208F30C68E12274B625E3EDF9186680C)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O9 - Extra 'Tools' menuitem: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (filesize 320656 bytes, MD5 B33A0BCE72CDC81B56154E9DF4AF34F6)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (filesize 320656 bytes, MD5 B33A0BCE72CDC81B56154E9DF4AF34F6)
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (filesize 2323536 bytes, MD5 FD23D4D11A9F5748723FC06716BEBD30)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (filesize 2323536 bytes, MD5 FD23D4D11A9F5748723FC06716BEBD30)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (filesize 1224704 bytes, MD5 80173439AE505A62C1076E05D7478E98)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (filesize 1224704 bytes, MD5 80173439AE505A62C1076E05D7478E98)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1040_pack_XP.cab
O16 - DPF: {A0EB6CA1-B26C-475D-A342-9257C5420A0D} (SFUtility Class) - http://searchfst.com/update/searchfast.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
Reply With Quote
  #4  
Old October 23rd, 2004, 01:50 PM
edwinbrains's Avatar
edwinbrains edwinbrains is offline
Retired Moderator
Dev Shed God 4th Plane (6500 - 6999 posts)
  
Join Date: Jan 2004
Location: London, UK
Posts: 6,670 edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)edwinbrains User rank is Second Lieutenant (5000 - 10000 Reputation Level)  Folding Points: 85411 Folding Title: Advanced FolderFolding Points: 85411 Folding Title: Advanced FolderFolding Points: 85411 Folding Title: Advanced FolderFolding Points: 85411 Folding Title: Advanced FolderFolding Points: 85411 Folding Title: Advanced Folder
Time spent in forums: 1 Week 6 Days 23 h 36 m 40 sec
Reputation Power: 92
Threads merged.
__________________
- Edwin -

The General Rules Thread | The General FAQ Thread
Reply With Quote
  #5  
Old October 23rd, 2004, 05:06 PM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally Posted by edwinbrains
Threads merged.

10X. Hope it won't ruin your weekend.
Reply With Quote
  #6  
Old October 23rd, 2004, 07:12 PM
Tom Myboy Tom Myboy is offline
Contributing User
Dev Shed Regular (2000 - 2499 posts)
  
Join Date: Aug 2003
Posts: 2,491 Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level)Tom Myboy User rank is Sergeant (500 - 2000 Reputation Level) 
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13
Hi krum atsev,

Quote:
SpyDoctor trial verson reports numerous problems, to be
fixed after purchase.


You don't need to buy any software to remove malware off your computer. All the software we recommend here is either freeware or donationware.

OK let's get started...

Download Stinger. Save it to your Desktop. Double-click it to start it. Make sure all of your drives are listed in the "Directories to scan" box (C:\ D:\ E:\, etc.). Click the Scan Now button and let it remove anything it finds.

http://vil.nai.com/vil/stinger/

Next...

Perform an onlne virus scan from this site:

Trend Micro Housecall - Again, select all of your drives to be scanned. Please check "Auto clean" before scanning.

http://housecall.trendmicro.com/

If you can, copy and paste the report logs from the scans into your next post.

Next....

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Perform a "Full system scan" with Adaware. Remove all checked items.

Then...

Download, install and UPDATE Spybot Search and Destroy 1.3. Scan and fix all items checked in RED.

http://www.safer-networking.org/en/download/index.html

Reboot and post a fresh HijackThis log.

Tom
__________________
HijackThis
Ad-aware
Spybot Search & Destroy
SpywareBlaster
SpywareGuard
Housecall Online A/V Scan
Please read the stickys at the top of the forum before posting!
Reply With Quote
  #7  
Old October 24th, 2004, 05:41 PM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Sorry for the delay, browsing&downloading isn't that handy thru WinExplorer, some programs crashed meanwhile. Directions followed, Stinger report too long, just listing all scanned files, ending with 'Number of clean files: 148996';
impossible to attach [over12 MB!?]. Proceeding with online check, results in next thread.
I've read lots of your lore, tried to imitate, hoping to save your time, probably to diverse effect. Anyway, glad to be in safe arms now. A fiend in need is a fiend indeed.
Reply With Quote
  #8  
Old October 24th, 2004, 08:53 PM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
As previously reported, Stinger finished with:
'Number of clean files: 148996'.

Onlne scan from Housecall listed:
'82651 files, infected 0'.

Ad-Aware log as follows:
ArchiveData(auto-quarantine- 2004-10-25 03-13-39.bckp)
Referencefile : SE1R14 22.10.2004
ALTNETBDE
obj[0]=Regkey : software\classes\adm4.adm4
obj[1]=RegValue : software\classes\adm4.adm4 ""
obj[2]=Regkey : software\classes\adm25.adm25
obj[3]=RegValue : software\classes\adm25.adm25

""
obj[4]=Regkey : software\classes\adm4.adm4.1
obj[5]=RegValue : software\classes\adm4.adm4.1

""
obj[6]=Regkey : software\classes\adm25.adm25.1
obj[7]=RegValue : software\classes\adm25.adm25.1

""
obj[8]=Regkey : software\classes\appid\adm.exe
obj[9]=RegValue : software\classes\appid\adm.exe

"AppID"
obj[10]=Regkey : software\classes\appid\altnet

signing module.exe
obj[11]=RegValue : software\classes\appid\altnet

signing module.exe "AppID"
obj[170]=Folder : C:\Program Files\Altnet
obj[171]=Folder : C:\WINDOWS\temp\Altnet
obj[175]=File : C:\Documents and Settings\Krum Acev\Local Settings\Temp\asmfiles.cab
obj[176]=File : C:\Documents and Settings\Krum
Acev\Local Settings\Temp\asmfiles.cab
obj[178]=File : C:\WINDOWS\Temp\Altnet\adm25.dll
obj[179]=File : C:\WINDOWS\Temp\Altnet\adm4.dll
obj[180]=File : C:\WINDOWS\Temp\Altnet\admdata.dll
obj[181]=File : C:\WINDOWS\Temp\Altnet\admdloader.dll
obj[182]=File : C:\WINDOWS\Temp\Altnet\admfdi.dll
obj[183]=File : C:\WINDOWS\Temp\Altnet\admprog.dll
obj[184]=File : C:\WINDOWS\Temp\Altnet\dmfiles.cab
obj[185]=File : C:\WINDOWS\Temp\Altnet\dmfiles.cab
obj[186]=File : C:\WINDOWS\Temp\Altnet\DMinfo3.cab
obj[187]=File : C:\WINDOWS\Temp\Altnet\pmexe.cab
obj[188]=File : C:\WINDOWS\Temp\Altnet\pmfiles.cab
obj[189]=File : C:\WINDOWS\Temp\Altnet\Setup.exe
obj[190]=File : C:\WINDOWS\temp\altnet\adm.exe
obj[191]=File : C:\WINDOWS\temp\altnet\atl.dll
obj[192]=File : C:\WINDOWS\temp\altnet\dminstall3.cab
obj[193]=File : C:\WINDOWS\temp\altnet\msvcirt.dll
obj[194]=File : C:\WINDOWS\temp\altnet\mysearch.cab
obj[195]=File : C:\WINDOWS\temp\altnet\pmfiles.cab
obj[196]=File : C:\WINDOWS\temp\altnet\pminstall.cab
obj[197]=File : C:\WINDOWS\temp\altnet\Setup.cab

MYWAY.SPEEDBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[12]=Regkey : mywaytoolbar.netscapestartup
obj[13]=RegValue : mywaytoolbar.netscapestartup

""
obj[14]=Regkey : mywaytoolbar.netscapeshutdown.1
obj[15]=RegValue : mywaytoolbar.netscapeshutdown.1 ""
obj[16]=Regkey : clsid\{0494d0d7-f8e0-41ad-92a3-14154ece70ac}
obj[17]=RegValue : clsid\{0494d0d7-f8e0-41ad-92a3-14154ece70ac} ""
obj[18]=Regkey : interface\{0494d0dc-f8e0-41ad-92a3-14154ece70ac}
obj[19]=RegValue : interface\{0494d0dc-f8e0-41ad-92a3-14154ece70ac} ""
obj[20]=Regkey : mywaytoolbar.netscapeshutdown
obj[21]=RegValue : mywaytoolbar.netscapeshutdown

""
obj[22]=Regkey : clsid\{0494d0d5-f8e0-41ad-92a3-14154ece70ac}
obj[23]=RegValue : clsid\{0494d0d5-f8e0-41ad-

92a3-14154ece70ac} ""
obj[24]=Regkey : mywaytoolbar.netscapestartup.1
obj[25]=RegValue : mywaytoolbar.netscapestartup.1 ""
obj[26]=Regkey : clsid\{014da6cd-189f-421a-88cd-07cfe51cff10}
obj[27]=Regkey : interface\{0494d0d6-f8e0-41ad-
92a3-14154ece70ac}
obj[28]=RegValue : interface\{0494d0d6-f8e0-
41ad-92a3-14154ece70ac} ""
obj[29]=Regkey : clsid\{0494d0db-f8e0-41ad-92a3
-14154ece70ac}
obj[30]=RegValue : clsid\{0494d0db-f8e0-41ad-
92a3-14154ece70ac} ""
obj[31]=Regkey : clsid\{0494d0d9-f8e0-41ad-92a3
-14154ece70ac}
obj[32]=RegValue : clsid\{0494d0d9-f8e0-41ad-
92a3-14154ece70ac} ""
obj[33]=Regkey : clsid\{0494d0d3-f8e0-41ad-92a3
-14154ece70ac}
obj[34]=RegValue : clsid\{0494d0d3-f8e0-41ad-
92a3-14154ece70ac} ""
obj[35]=Regkey : interface\{0494d0da-f8e0-41ad-
92a3-14154ece70ac}
obj[36]=RegValue : interface\{0494d0da-f8e0-
41ad-92a3-14154ece70ac} ""
obj[37]=Regkey : clsid\{0494d0d1-f8e0-41ad-92a3-14154ece70ac}
obj[38]=RegValue : clsid\{0494d0d1-f8e0-41ad-
92a3-14154ece70ac} ""
obj[39]=Regkey : interface\{0494d0d4-f8e0-41ad-
92a3-14154ece70ac}
obj[40]=RegValue : interface\{0494d0d4-f8e0-
41ad-92a3-14154ece70ac} ""
obj[41]=Regkey : clsid\{0494d0d2-f8e0-41ad-92a3
-14154ece70ac}
obj[42]=RegValue : clsid\{0494d0d2-f8e0-41ad-
92a3-14154ece70ac} ""
obj[43]=Regkey : mywaytoolbar.settingsplugin
obj[44]=RegValue : mywaytoolbar.settingsplugin

""
obj[45]=Regkey : clsid\{014da6c9-189f-421a-88cd
-07cfe51cff10}
obj[46]=Regkey : mywaytoolbar.settingsplugin.1
obj[47]=RegValue : mywaytoolbar.settingsplugin.1

""
obj[48]=Regkey : typelib\{0494d0d0-f8e0-41ad-92a3-14154ece70ac}
obj[49]=Regkey :software\microsoft\windows\currentversion\uninstall\my way speedbar uninstall
obj[50]=RegValue :
software\microsoft\windows\currentversion\uninstall\my way speedbar uninstall "DisplayName"
obj[51]=RegValue : software\microsoft\windows\currentversion\uninstall\my way speedbar uninstall "HelpLink"
obj[52]=RegValue :
software\microsoft\windows\currentversion\uninstall\my way speedbar uninstall "Publisher"
obj[53]=RegValue : software\microsoft\windows\currentversion\uninstall\my way speedbar uninstall "UninstallString"
obj[54]=RegValue : software\microsoft\windows\currentversion\uninst
all\my way speedbar uninstall "UrlInfoAbout"
obj[55]=Regkey : software\myway\mybar
obj[56]=RegValue : software\myway\mybar "Dir"
obj[57]=RegValue : software\myway\mybar

"ShzmCurInstall"
obj[58]=RegValue : software\myway\mybar "pid"
obj[59]=RegValue : software\myway\mybar

"strings"
obj[60]=RegValue : software\myway\mybar

"CurInstall"
obj[61]=RegValue : software\myway\mybar "sr"
obj[62]=RegValue : software\myway\mybar "pl"
obj[63]=RegValue : software\myway\mybar "Id"
obj[64]=RegValue : software\myway\mybar "Build"
obj[65]=RegValue : software\myway\mybar

"CacheDir"
obj[66]=RegValue : software\myway\mybar

"HistoryDir"
obj[67]=RegValue : software\myway\mybar

"Visible"
obj[68]=RegValue : software\myway\mybar

"SettingsDir"
obj[69]=RegValue : software\myway\mybar

"ConfigRevision"
obj[70]=RegValue : software\myway\mybar

"ConfigRevisionURL"
obj[71]=RegValue : software\myway\mybar

"ConfigDateStamp"
obj[72]=RegValue : software\myway\mybar

"Maximized"
obj[73]=Regkey : software\myway\mybar\partner
obj[74]=RegValue : software\myway\mybar\partner

"bitmap"
obj[75]=RegValue : software\myway\mybar\partner

"name"
obj[76]=RegValue : software\myway\mybar\partner

"test"
obj[77]=RegValue : software\myway\mybar\partner

"PM-Home"
obj[78]=RegValue : software\myway\mybar\partner

"PM-Points"
obj[79]=RegValue : software\myway\mybar\partner

"PM-Redeem"
obj[80]=RegValue : software\myway\mybar\partner

"PM-Wallet"
obj[81]=RegValue : software\myway\mybar\partner

"PM-Settings"
obj[82]=Regkey :
software\microsoft\windows\currentversion\explor
er\browser helper objects\{0494d0d1-f8e0-41ad-92a3-14154ece70ac}
obj[83]=RegValue :
software\microsoft\windows\currentversion\explorer\browser helper objects\{0494d0d1-f8e0-41ad-92a3-14154ece70ac} ""
obj[102]=RegValue : S-1-5-21-1993962763-706699826-725345543-1003\software\microsoft\internetexplorer\toolbar\shellbrowser "{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
obj[103]=RegValue : S-1-5-21-1993962763-706699826-725345543-1003\software\netscape\netscape navigator\automationshutdown "MyWayToolBar.NetscapeShutdown.1"
obj[104]=RegValue : S-1-5-21-1993962763-706699826-725345543-1003\software\netscape\netscape navigator\automationstartup "MyWayToolBar.NetscapeStartup.1"
obj[105]=RegValue : software\microsoft\internetexplorer\toolbar "{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}"
obj[172]=Regkey : software\myway
obj[173]=Folder : C:\Program Files\MyWay
obj[174]=Folder : C:\Program Files\myway\myBar
obj[177]=File : C:\Program

Files\MyWay\myBar\1.bin\NPMYWAY.DLL
obj[198]=File : C:\Program

Files\myway\mybar\1.bin\MY2NS.EXE
obj[199]=File : C:\Program

Files\myway\mybar\1.bin\MYBAR.DLL
obj[200]=File : C:\Program

Files\myway\mybar\1.bin\MYWAYPLUGINPROXY.CLASS
obj[201]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER.BMP
obj[202]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER.DAT
obj[203]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER2.DAT
obj[204]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER3.DAT
obj[205]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER4.DAT
obj[206]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER5.DAT
obj[207]=File : C:\Program

Files\myway\mybar\1.bin\PARTNER6.DAT

SEARCHFAST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[84]=Regkey : S-1-5-21-1993962763-706699826-

725345543-1003\software\searchfst
obj[85]=RegValue : S-1-5-21-1993962763-
706699826-725345543-1003\software\searchfst

"PartnerID"
obj[86]=RegValue : S-1-5-21-1993962763-706699826-725345543-1003\software\searchfst

"ReferID"
obj[87]=RegValue : S-1-5-21-1993962763-706699826-725345543-1003\software\searchfst


[continued in next post]
Reply With Quote
  #9  
Old October 24th, 2004, 09:00 PM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
[Ad-Aware log continued from previous post]
"InstallID"

WIN32.ADVERTS.TROJANDOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[88]=Regkey : S-1-5-21-1993962763-706699826-

725345543-1003\software\program info
obj[89]=RegValue : S-1-5-21-1993962763-

706699826-725345543-1003\software\program info

"ClientID"

WIN32.WINTRIM.TROJAN.B
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[90]=Regkey : typelib\{f3a257e6-fa04-4b30-

a1b6-6b89eb814544}\1.0
obj[91]=RegValue : typelib\{f3a257e6-fa04-4b30-

a1b6-6b89eb814544}\1.0 ""
obj[92]=Regkey : interface\{c13fa88a-d264-4bc8-

92ed-52eb8181e209}\proxystubclsid32
obj[93]=RegValue : interface\{c13fa88a-d264-

4bc8-92ed-52eb8181e209}\proxystubclsid32 ""
obj[94]=Regkey : interface\{c13fa88a-d264-4bc8-

92ed-52eb8181e209}\typelib
obj[95]=RegValue : interface\{c13fa88a-d264-

4bc8-92ed-52eb8181e209}\typelib ""
obj[96]=RegValue : interface\{c13fa88a-d264-

4bc8-92ed-52eb8181e209}\typelib "Version"
obj[97]=Regkey : interface\{c13fa88a-d264-4bc8-

92ed-52eb8181e209}
obj[98]=RegValue : interface\{c13fa88a-d264-

4bc8-92ed-52eb8181e209} ""
obj[99]=Regkey : typelib\{f3a257e6-fa04-4b30-

a1b6-6b89eb814544}
obj[100]=Regkey : interface\{c13fa88a-d264-4bc8

-92ed-52eb8181e209}\proxystubclsid
obj[101]=RegValue : interface\{c13fa88a-d264-

4bc8-92ed-52eb8181e209}\proxystubclsid ""

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[106]=Regkey :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1
obj[107]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: Setup Version"
obj[108]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: App Path"
obj[109]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: Icon Group"
obj[110]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: User"
obj[111]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: Selected Tasks"
obj[112]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "Inno Setup: Deselected Tasks"
obj[113]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "DisplayName"
obj[114]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "UninstallString"
obj[115]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "URLInfoAbout"
obj[116]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "HelpLink"
obj[117]=RegValue :

Software\Microsoft\Windows\CurrentVersion\Uninst

all\NoAdware_is1 "URLUpdateInfo"
obj[118]=Regkey : SOFTWARE\Microsoft\Code Store

Database\Distribution Units\{205FF73B-CA67-11D5

-99DD-444553540000}
obj[119]=RegValue : SOFTWARE\Microsoft\Code

Store Database\Distribution Units\{205FF73B-

CA67-11D5-99DD-444553540000} "SystemComponent"
obj[120]=RegValue : SOFTWARE\Microsoft\Code

Store Database\Distribution Units\{205FF73B-

CA67-11D5-99DD-444553540000} "Installer"
obj[121]=Regkey : SOFTWARE\Microsoft\Code Store

Database\Distribution Units\{A0EB6CA1-B26C-475D

-A342-9257C5420A0D}
obj[122]=RegValue : SOFTWARE\Microsoft\Code

Store Database\Distribution Units\{A0EB6CA1-

B26C-475D-A342-9257C5420A0D} "SystemComponent"
obj[123]=RegValue : SOFTWARE\Microsoft\Code

Store Database\Distribution Units\{A0EB6CA1-

B26C-475D-A342-9257C5420A0D} "Installer"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[124]=IECache Entry : Cookie:krum

acev@tripod.com/
obj[125]=IECache Entry : Cookie:krum

acev@2o7.net/
obj[126]=IECache Entry : Cookie:krum

acev@twci.coremetrics.com/
obj[127]=IECache Entry : Cookie:krum

acev@statcounter.com/
obj[128]=IECache Entry : Cookie:krum

acev@servedby.advertising.com/
obj[129]=IECache Entry : Cookie:krum

acev@mediaplex.com/
obj[130]=IECache Entry : Cookie:krum

acev@tracking.thunderdownloads.com/
obj[131]=IECache Entry : Cookie:krum

acev@gator.com/
obj[132]=IECache Entry : Cookie:krum

acev@clickagents.com/
obj[133]=IECache Entry : Cookie:krum

acev@jkazaa.cjt1.net/HTM/276/0
obj[134]=IECache Entry : Cookie:krum

acev@hitbox.com/
obj[135]=IECache Entry : Cookie:krum

acev@maxserving.com/
obj[136]=IECache Entry : Cookie:krum

acev@specificclick.net/
obj[137]=IECache Entry : Cookie:krum

acev@seeq.com/
obj[138]=IECache Entry : Cookie:krum

acev@ads.addynamix.com/
obj[139]=IECache Entry : Cookie:krum

acev@z1.adserver.com/
obj[140]=IECache Entry : Cookie:krum

acev@trafficmp.com/
obj[141]=IECache Entry : Cookie:krum

acev@targetnet.com/
obj[142]=IECache Entry : Cookie:krum

acev@ad6.bannerbank.ru/
obj[143]=IECache Entry : Cookie:krum

acev@ad.trafficmp.com/tmpad
obj[144]=IECache Entry : Cookie:krum

acev@questionmarket.com/
obj[145]=IECache Entry : Cookie:krum

acev@hotlog.ru/
obj[146]=IECache Entry : Cookie:krum

acev@jaimmedia.cjt1.net/HTM/482/0
obj[147]=IECache Entry : Cookie:krum

acev@j.2004cms.com/HTM/482/0
obj[148]=IECache Entry : Cookie:krum

acev@j.2004cms.com/HTM/276/0
obj[149]=IECache Entry : Cookie:krum

acev@jkazaa.cjt1.net/HTM/276
obj[150]=IECache Entry : Cookie:krum

acev@fortunecity.com/
obj[151]=IECache Entry : Cookie:krum

acev@advertising.com/
obj[152]=IECache Entry : Cookie:krum

acev@edge.ru4.com/
obj[153]=IECache Entry : Cookie:krum

acev@ads.adsag.com/
obj[154]=IECache Entry : Cookie:krum

acev@apmebf.com/
obj[155]=IECache Entry : Cookie:krum

acev@ads.pointroll.com/
obj[156]=IECache Entry : Cookie:krum

acev@j.2004cms.com/HTM/508/0
obj[157]=IECache Entry : Cookie:krum

acev@valueclick.com/
obj[158]=IECache Entry : Cookie:krum

acev@bfast.com/
obj[159]=IECache Entry : Cookie:krum

acev@fastclick.net/
obj[160]=IECache Entry : Cookie:krum

acev@pacificpoker.com/
obj[161]=IECache Entry : Cookie:krum

acev@j.2004cms.com/HTM/546/0
obj[162]=IECache Entry : Cookie:krum

acev@jkazaa.cjt1.net/HTM/508/0
obj[163]=IECache Entry : Cookie:krum

acev@zedo.com/
obj[164]=IECache Entry : Cookie:krum

acev@casalemedia.com/
obj[165]=IECache Entry : Cookie:krum acev@ehg-

idg.hitbox.com/
obj[166]=IECache Entry : Cookie:krum

acev@j.2004cms.com/HTM/276
obj[167]=IECache Entry : Cookie:krum

acev@jkazaa.cjt1.net/HTM/546/0
obj[168]=IECache Entry : Cookie:krum

acev@paycounter.com/
obj[169]=IECache Entry : Cookie:krum

acev@hg1.hitbox.com/

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[208]=File :

C:\WINDOWS\prefetch\123WASP_SETUP.EXE-

1F15BDF7.pf
obj[209]=File :

C:\WINDOWS\prefetch\IE6SETUP.EXE-2E8B96EF.pf
obj[210]=File :

C:\WINDOWS\prefetch\IMOLSETUP.EXE-06496C59.pf
obj[211]=File : C:\WINDOWS\prefetch\IMSETUP.EXE

-2094C000.pf
obj[212]=File : C:\WINDOWS\prefetch\SETUP.EXE-

0B5E45DE.pf
obj[213]=File : C:\WINDOWS\prefetch\SETUP.EXE-

0DDCC2C8.pf
obj[214]=File : C:\WINDOWS\prefetch\SETUP.EXE-

13D46428.pf
obj[215]=File : C:\WINDOWS\prefetch\SETUP.EXE-

3235BFD1.pf
obj[216]=File : C:\WINDOWS\prefetch\SETUP.EXE-

37455126.pf
obj[217]=File : C:\WINDOWS\prefetch\SETUP.EXE-

393E66AE.pf

[Spybot and Hijack logs in next post]
Reply With Quote
  #10  
Old October 24th, 2004, 09:05 PM
krum atsev krum atsev is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Oct 2004
Posts: 12 krum atsev User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Spybot message:
'No immediate threats found. Error during check!: Unknown (Datei C:\Documents and Settings\Krum Acev\Desktop\FREE.??????? ????.uri kann nicht geoffnet werden. The filename, directory name orvolume syntax is incorrect)'

Logfile of HijackThis v1.98.2
Scan saved at 03:52:17, on 25.10.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet

Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ABBYY FineReader 7.0

Professional Edition\AbbyyNewsReader.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\realtime.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\Program Files\SpyBlocker

Software\SpywareStopper\spywarestopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80

\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Norton Internet

Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL

Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bouncer\bouncer.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\HiJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://mail.nbu.bg
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://mail.nbu.bg
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9

-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!

\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

(filesize 272983 bytes, MD5

B8E162E9B9A83849458F457EB84ED137)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-

4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0

\Reader\ActiveX\AcroIEHelper.dll (filesize 50376

bytes, MD5 0C0E1B2BCAED8DF401BE94D538BCB412)
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} -

C:\Program Files\SpywareGuard\dlprotect.dll

(filesize 192512 bytes, MD5

964621E8B2415FEAA99026ED4F29D198)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-

206D7942484F} - C:\Program Files\Spybot - Search

& Destroy\SDHelper.dll (filesize 744960 bytes,

MD5 ABF5BA518C6A5ED104496FF42D19AD88)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-

9CD9-0090271D075B} - C:\PROGRA~1

\FlashGet\jccatch.dll (filesize 65536 bytes, MD5

F2FAFE3CB6412C89F43D88CCEBE308F3)
O2 - BHO: Google Toolbar Helper - {AA58ED58-

01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll (filesize 708608

bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544

-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll (filesize 112248 bytes,

MD5 988409CE6ED638AAFDBECFB6EC863F4F)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-

11D5-8D29-0050BA6940E3} - C:\PROGRA~1

\FlashGet\fgiebar.dll (filesize 86016 bytes, MD5

94D01CBA4FBB4EB408F02F549CA5D815)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-

C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1

\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

(filesize 272983 bytes, MD5

B8E162E9B9A83849458F457EB84ED137)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-

9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll (filesize 708608

bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O3 - Toolbar: &Advanced Searchbar - {43F02779-

6D88-4958-8AD3-83C12D86ADC7} - C:\Program

Files\Advanced Searchbar\Toolbar.dll (filesize

401408 bytes, MD5

29D4D5AB13ABABB068BDE80B5F7A2254)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB

-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll (filesize

112248 bytes, MD5

988409CE6ED638AAFDBECFB6EC863F4F)
O4 - HKLM\..\Run: [PHIME2002ASync]

C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

/SYNC (filesize 455168 bytes, MD5

024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [PHIME2002A]

C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

/IMEName (filesize 455168 bytes, MD5

024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [WService] WService.EXE

(filesize 28672 bytes, MD5

05D196B51881100E93A92D777F6FC243)
O4 - HKLM\..\Run: [F-StopW] C:\Program