stephen Posted June 21, 2006 Report Share Posted June 21, 2006 Logfile of HijackThis v1.99.1Scan saved at 5:23:25 PM, on 6/21/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\FileZilla Server\FileZilla Server.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\xampp\xampp\mysql\bin\mysqld-nt.exeC:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\SOUNDMAN.EXEC:\dfndra.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\AIM\aim.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exeC:\WINDOWS\algm.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\Sean\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintrayO4 - HKLM\..\Run: [newname] C:\\nwnm.exeO4 - HKLM\..\Run: [defender] C:\\dfndra.exeO4 - HKLM\..\Run: [keyboard] C:\\kybrd.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htmO8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\ixfoctrs.dllO20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\ieetppui.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe" -k runservice (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: mysql - Unknown owner - C:\Program.exe (file missing)O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeO23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\service.exe (file missing)O23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe Quote Link to post Share on other sites
jwbirdsong Posted June 21, 2006 Report Share Posted June 21, 2006 (edited) First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.You've got a couple of different major infections so it may take a few steps to clean up..just follow the post as written without skipping any steps and we'll get thought it just fine.Download Brute Force Uninstaller to your desktop Unzip it to a folder of its own (C:\BFU). BFU needs to be on your root. In most cases this is C:\Help with unzipping files is HERE [*]Right click on THIS LINK and choose save as (or save Link/Target as)[*]Place qoofix.bat in your C:\BFU - folder. (Important!)[*]Now go to the C:\BFU folder you just made[*]Doubleclick qooFix.bat, Close all browsers and explorer folders. even this one...!!![*]Choose option 1 (Qoolfix autofix) and follow the prompts.[*]Please be patient, it will take about five minutes.[*]After the PC has restarted continue with belowPlease download Ewido Security Suite, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu[*] Launch ewido, there should now be an icon on your desktop, double-click it.[*] The program will now open to the main screen.[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update.[*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful")[*] Close Ewido Security SuiteIf you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updatesOnce the updates are installed, do the following: Reboot computer into "Safe Mode" using the "F8" method... As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears Use the arrow keys to select the Safe Mode menu item[*] Once in Safe Mode start Ewido Security Suite[*] Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)[*] Click on Complete System Scan, the scan will now begin.[*] While the scan is in progress you will be promted to clean files, click OK.[*] When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.[*] Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.[*] Click Save Report.[*] Now save the report .txt file to your desktop.[*] Close Ewido Security SuiteBoot back to Normal modeDownload and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtmlRun the program, accept statement>next>click> scan>next.If any items are detected have blacklite don't do anything with them yet.After reboot please post Ewido log a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20060505134642.log. in a reply (or replyS, it may well take more than one) to this thread. There WILL be more to do; but this is a GREAT start Edited June 21, 2006 by jwbirdsong Quote Link to post Share on other sites
stephen Posted June 22, 2006 Author Report Share Posted June 22, 2006 First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.You've got a couple of different major infections so it may take a few steps to clean up..just follow the post as written without skipping any steps and we'll get thought it just fine.Download Brute Force Uninstaller to your desktop Unzip it to a folder of its own (C:\BFU). BFU needs to be on your root. In most cases this is C:\Help with unzipping files is HERE [*]Right click on THIS LINK and choose save as (or save Link/Target as)[*]Place qoofix.bat in your C:\BFU - folder. (Important!)[*]Now go to the C:\BFU folder you just made[*]Doubleclick qooFix.bat, Close all browsers and explorer folders. even this one...!!![*]Choose option 1 (Qoolfix autofix) and follow the prompts.[*]Please be patient, it will take about five minutes.[*]After the PC has restarted continue with belowPlease download Ewido Security Suite, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu[*] Launch ewido, there should now be an icon on your desktop, double-click it.[*] The program will now open to the main screen.[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update.[*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful")[*] Close Ewido Security SuiteIf you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updatesOnce the updates are installed, do the following: Reboot computer into "Safe Mode" using the "F8" method... As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears Use the arrow keys to select the Safe Mode menu item[*] Once in Safe Mode start Ewido Security Suite[*] Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)[*] Click on Complete System Scan, the scan will now begin.[*] While the scan is in progress you will be promted to clean files, click OK.[*] When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.[*] Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.[*] Click Save Report.[*] Now save the report .txt file to your desktop.[*] Close Ewido Security SuiteBoot back to Normal modeDownload and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtmlRun the program, accept statement>next>click> scan>next.If any items are detected have blacklite don't do anything with them yet.After reboot please post Ewido log a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20060505134642.log. in a reply (or replyS, it may well take more than one) to this thread. There WILL be more to do; but this is a GREAT startThe blacklight comes up with an error when i try to install saying "F-secure Blacklight could not acquire necesssary privileges (sedebugprivilege).-your computer setting may prevent acquiring these privileges.-a malicious program might ahve disabled these privileges."The ewido log is...---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at: 10:05:06 PM 6/21/2006 + Scan result: C:\WINDOWS\system32\m6820gloe6qc0.dll -> Adware.Look2Me : No action taken.C:\WINDOWS\system32\mztrig.dll -> Adware.Look2Me : No action taken.C:\WINDOWS\system32\nrtfxperf.dll -> Adware.Look2Me : No action taken.C:\WINDOWS\system32\o0840alqedqe0.dll -> Adware.Look2Me : No action taken.C:\WINDOWS\system32\rtched20.dll -> Adware.Look2Me : No action taken.[768] C:\WINDOWS\system32\tlext.dll -> Adware.Look2Me : No action taken.[952] C:\WINDOWS\system32\tlext.dll -> Adware.Look2Me : No action taken.C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\ODQRCTQR\AppWrap[1].exe -> Adware.Zestyfind : No action taken.C:\kybrd.exe -> Downloader.Adload.cf : No action taken.C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.C:\nwnm.exe -> Hijacker.VB.fb : No action taken.:mozilla.201:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.:mozilla.203:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.:mozilla.204:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.:mozilla.349:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.:mozilla.350:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.:mozilla.351:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.:mozilla.352:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.:mozilla.353:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.C:\Documents and Settings\Jake\Cookies\jake@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.:mozilla.104:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.:mozilla.90:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.:mozilla.98:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.:mozilla.99:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.:mozilla.237:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.238:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.239:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.240:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.241:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.242:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.:mozilla.558:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Com : No action taken.:mozilla.502:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Counted : No action taken.:mozilla.67:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.:mozilla.68:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.:mozilla.69:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.:mozilla.266:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.:mozilla.416:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.:mozilla.74:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.:mozilla.75:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.:mozilla.76:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.:mozilla.77:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.:mozilla.78:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.:mozilla.540:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@linksynergy[1].txt -> TrackingCookie.Linksynergy : No action taken.:mozilla.150:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.151:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.152:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.153:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.281:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.282:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.345:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.346:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.522:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.:mozilla.37:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.38:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.39:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.42:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.43:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.44:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.45:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.60:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.62:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.63:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.64:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.:mozilla.30:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Revenue : No action taken.:mozilla.472:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.:mozilla.473:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.:mozilla.474:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.:mozilla.475:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.:mozilla.404:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.405:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.406:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.407:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.408:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.409:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.410:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.411:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.:mozilla.288:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.:mozilla.289:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.:mozilla.292:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.:mozilla.125:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.91:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.92:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.93:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.94:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.95:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.97:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.:mozilla.485:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Trafic : No action taken.C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : No action taken.:mozilla.23:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.24:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.25:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.26:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.27:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.28:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.29:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.31:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Sean\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.32:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.33:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.34:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.35:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.36:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.The new HJT log is....Logfile of HijackThis v1.99.1Scan saved at 10:13:25 PM, on 6/21/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\SOUNDMAN.EXEC:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\AIM\aim.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\FileZilla Server\FileZilla Server.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\xampp\xampp\mysql\bin\mysqld-nt.exeC:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Documents and Settings\Sean\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htmO8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\dnj4011qe.dllO20 - Winlogon Notify: policies - C:\WINDOWS\system32\l6p2lg7o16.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe" -k runservice (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: mysql - Unknown owner - C:\Program.exe (file missing)O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeO23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\service.exe (file missing)O23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe (file missing)::Report end Quote Link to post Share on other sites
jwbirdsong Posted June 22, 2006 Report Share Posted June 22, 2006 Please download Look2Me-Destroyer to your desktop. Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log. Quote Link to post Share on other sites
stephen Posted June 22, 2006 Author Report Share Posted June 22, 2006 Please download Look2Me-Destroyer to your desktop. Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.Look2Me-Destroyer V1.0.12Scanning for infected files.....Scan started at 6/22/2006 1:10:01 PMInfected! C:\WINDOWS\system32\fp0m03d1e.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dllInfected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dllInfected! C:\WINDOWS\system32\fp0m03d1e.dllInfected! C:\WINDOWS\system32\j04o0ah3ed4.dllInfected! C:\WINDOWS\system32\uhdmxfrm.dllInfected! C:\WINDOWS\system32\guard.tmpAttempting to delete infected files...Attempting to delete: C:\WINDOWS\system32\fp0m03d1e.dllC:\WINDOWS\system32\fp0m03d1e.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dll Deleted successfully!Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dllC:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dll Deleted successfully!Attempting to delete: C:\WINDOWS\system32\fp0m03d1e.dllC:\WINDOWS\system32\fp0m03d1e.dll Deleted successfully!Attempting to delete: C:\WINDOWS\system32\j04o0ah3ed4.dllC:\WINDOWS\system32\j04o0ah3ed4.dll Deleted successfully!Attempting to delete: C:\WINDOWS\system32\uhdmxfrm.dllC:\WINDOWS\system32\uhdmxfrm.dll Deleted successfully!Attempting to delete: C:\WINDOWS\system32\guard.tmpC:\WINDOWS\system32\guard.tmp Deleted successfully!Making registry repairs.Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URLRemoving: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{29647E95-3B73-4716-8EFF-3A1886CDFC26}"HKCR\Clsid\{29647E95-3B73-4716-8EFF-3A1886CDFC26}Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{13EDF38C-316C-43E3-A09A-BD78A5D0B0CD}"HKCR\Clsid\{13EDF38C-316C-43E3-A09A-BD78A5D0B0CD}Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BA45171F-08CC-45F2-A35F-6AF0BFEF7640}"HKCR\Clsid\{BA45171F-08CC-45F2-A35F-6AF0BFEF7640}Restoring Windows certificates.Replaced hosts file with default windows hosts fileRestoring SeDebugPrivilege for Administrators - SucceededHERE IS THE HJT LOG...Logfile of HijackThis v1.99.1Scan saved at 1:17:22 PM, on 6/22/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\xampp\apache\bin\apache.exeC:\Program Files\AIM\aim.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\FileZilla Server\FileZilla Server.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\WINDOWS\system32\tcpsvcs.exeC:\Program Files\xampp\apache\bin\apache.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Sean\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htmO8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeO23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe (file missing) Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.