| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 65510 | 2006-01-20 18:59:00 | Hijack This log help | JeffH (9656) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 422871 | 2006-01-20 18:59:00 | Following is a request for help from another forum . I have not been able to clean out everything so am looking for additional help here . I am including everything up to this point so you can see what has been done . Need help eliminating "Win32 ADAN" and "Trojano" trojans . Avast catches and aborts connection but I have not been able to clean or delete them completely . Logfile of HijackThis v1 . 99 . 1 Scan saved at 10:55:32 AM, on 1/7/2006 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\csrss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe C:\Program Files\Alwil Software\Avast4\ashServ . exe C:\WINDOWS\system32\wdfmgr . exe C:\WINDOWS\System32\WLTRYSVC . EXE C:\WINDOWS\System32\bcmwltry . exe C:\WINDOWS\Explorer . EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe C:\Program Files\Alwil Software\Avast4\ashWebSv . exe C:\WINDOWS\System32\alg . exe C:\WINDOWS\system32\hkcmd . exe C:\Program Files\Synaptics\SynTP\SynTPLpr . exe C:\Program Files\Synaptics\SynTP\SynTPEnh . exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher . exe C:\Program Files\Dell\AccessDirect\dadapp . exe C:\Program Files\Dell\QuickSet\quickset . exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray . exe C:\Program Files\2Wire HomePortal Monitor\2portalmon . exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4 . exe C:\WINDOWS\system32\dla\tfswctrl . exe C:\Program Files\Microsoft AntiSpyware\gcasServ . exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 0\Apps\apdproxy . exe C:\Program Files\iTunes\iTunesHelper . exe C:\Program Files\QuickTime\qttask . exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe C:\Program Files\iPod\bin\iPodService . exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ . exe C:\Program Files\Internet Explorer\iexplore . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\wuauclt . exe C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe C:\Program Files\Digital Line Detect\DLG . exe C:\Program Files\hijackthis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . espn . com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . espn . com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate . microsoft . com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\system32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr . exe O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe O4 - HKLM\ . . \Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher . exe" O4 - HKLM\ . . \Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp . exe O4 - HKLM\ . . \Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset . exe O4 - HKLM\ . . \Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray . exe" /r O4 - HKLM\ . . \Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon . exe O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4 . exe O4 - HKLM\ . . \Run: [dla] C:\WINDOWS\system32\dla\tfswctrl . exe O4 - HKLM\ . . \Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ . exe" O4 - HKLM\ . . \Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 0\Apps\apdproxy . exe" O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe O4 - HKLM\ . . \Run: [hgqhp . exe] C:\WINDOWS\system32\hgqhp . exe O4 - HKCU\ . . \Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs . exe" /background O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe O4 - Global Startup: Digital Line Detect . lnk = ? O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell . dll/SPELLOPTION . HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell . dll/SPELLCHECK . HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell . dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell . dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell . dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - . musicmatch . com/mmz/openWebRadio . html" target="_blank">wwws . musicmatch . com (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O15 - Trusted Zone: http://www . download . com O15 - Trusted Zone: http://* . snapfiles . com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - . microsoft . com/fwlink/?linkid=36467&clcid=0x409" target="_blank">go . microsoft . com O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - . surfernetwork . com/surferplugin . ocx" target="_blank">rd1 . surfernetwork . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . windowsupdate . microsoft . com/v5consumer/V5Controls/en/x86/client/wuweb_site . cab?1107022192971" target="_blank">v5 . windowsupdate . microsoft . com O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - . www1 . hp . com/ewfrf-JAVA/Secure/HPGetDownloadManager . ocx" target="_blank">h17000 . www1 . hp . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{AB7AC206-B807-4CEE-994D-B04CC4326DC1}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{AC8694A1-28D5-4609-B0B7-5489146C27A7}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{E77F95BA-B982-4EF1-866A-A881CBE0EB33}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CS1\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CS3\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc . dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ . exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv . exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT . exe O23 - Service: iPodService - Apple Computer, Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC . EXE Thanks . mlegg doesn't want to hear your bitching Posts: 12819 Joined: Aug 2004 Saturday January 07, 2006 9:23 PM Run Avast in Safe Mode to kill the trojans you have (this is a trojan O4 - HKLM\ . . \Run: [hgqhp . exe] C:\WINDOWS\system32\hgqhp . exe) Reboot normally and get and run Ewido Security Suite Install ewido security suite . When installing the program, under "Additonal Options" uncheck . . *Install background guard *Install scan via context menu Launch Ewido, there should now be an icon on your desktop, double-click it . The program will now open to the main screen . You will need to update ewido to the latest definition files: On the left hand side of the main screen click update . Then click on Start Update . The update will start and a progress bar will show the updates being installed . (the status bar at the bottom will display "Update successful") If you are having problems with the updater, you can use this link to manually update ewido: Ewido manual updates Once the updates are installed, do the following: Click on scanner . Click on Complete System Scan, the scan will now begin . While the scan is in progress you will be promted to clean files, click OK . When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK . Once the scan has completed, there will be a button located at the bottom of the screen named Save Report . Click Save Report . Now save the report . txt file to your desktop . Then go run Panda Active Scan and this will rid of extra rubbish . Open HJT,ALL OTHER WINDOWS MUST BE CLOSED,have HJT fix these entries (there are other lines to fix, but post a new log after following above to see if still there): O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - . surfernetwork . com/surferplugin . ocx" target="_blank">rd1 . surfernetwork . com Did you put these sites in your trusted zones? from the O15 - Trusted Zone: www . download . com and http://* . snapfiles . com lines? They are not bad sites, but if you did not put them there then take them out . All the O17 - HKLM\System\CCS\Services\Tcpip have the IP addresses 85 . 255 . 116 . 126 & 85 . 255 . 112 . 226 that lead to Belargus, Ukraine . Do you use a proxy? If no delete all 6 of the 017 lines! Shut Messenger off, unless you are in an office enviroment this is not needed . Start -> Programs . Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts . Go to Control Panel > to Admin Tools > to Services and scroll down to Messenger line . On the left you will see Terminate process, then on the line where it says Startup, use the drop down menu and choose Disable . Do above and post your new HJT log and also post the Ewido log too . ------------------------- Pete_C Custom Posts: 17194 Joined: May 2004 Wednesday January 18, 2006 10:50 AM O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) is O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee . com\vso\mcvsshl . dll Users with this spyware complained of the following: Since I do not see Mcafee installed, you should fix this with hijackthis . O4 - HKLM\ . . \Run: [hgqhp . exe] C:\WINDOWS\system32\hgqhp . exe - . mcafeesecurity . com/vil/content/v_131693 . htm" target="_blank">vil . mcafeesecurity . com Please take note of the registry entries this trojan adds in addition to this one . Although you can use hijackthis to remove this one entry, you will need to use regedit to remove the other entries . nai . com/vil/stinger/" target="_blank">vil . nai . com May be able to remove these entries, but even if you get rid of it by running avast in safe mode; I would double check after reboot that they have been removed . Make sure the file C:\WINDOWS\system32\hgqhp . exe is deleted and recycle bin emptied . Also you will need to follow their additional considerations for XP; turn off system restore after you have confirmed that you can still boot to windows . nai . com/vil/SystemHelpDocs/DisableSysRestore . htm" target="_blank">vil . nai . com Have hijackthis fix these entry O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O15 - Trusted Zone: http://www . download . com O15 - Trusted Zone: http://* . snapfiles . com O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - . surfernetwork . com/surferplugin . ocx" target="_blank">rd1 . surfernetwork . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . windowsupdate . microsoft . com/v5consumer/V5Controls/en/x86/client/wuweb_site . cab?1107022192971" target="_blank">v5 . windowsupdate . microsoft . com Indicates to me that you need to have hijackthis fix this entry and then go to windows update to get your updates . The current version is v6 These should be removed they are win32 adan (note they are all different) O17 - HKLM\System\CCS\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{AB7AC206-B807-4CEE-994D-B04CC4326DC1}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{AC8694A1-28D5-4609-B0B7-5489146C27A7}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{E77F95BA-B982-4EF1-866A-A881CBE0EB33}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CS1\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 O17 - HKLM\System\CS3\Services\Tcpip\ . . \{20C92EA7-9AA4-4ABE-B96B-5C3BE6882516}: NameServer = 85 . 255 . 116 . 126,85 . 255 . 112 . 226 . nai . com/vil/content/v_135425 . htm" target="_blank">vil . nai . com Contains some additional entries it adds which you will need to check for with regedit and remove if found . Trojan trojano is also known as winpup . You probably should check this out and see if you have a pup entry in your registry . viruslist . com/en/viruses/encyclopedia?virusid=38043Note" target="_blank">www . viruslist . com the two registry keys you must locate and remove . I think the slow down you report here . g4tv . com/messageview . cfm?catid=64&threadid=546881&STARTPAGE=1" target="_blank">forums . g4tv . com Is related to not fully cleaning out the trojan you have and reversing the registry entries it has added ------------------------- -------------------------------------------------------------------------------- Free advice, help and Hijackthis analysis from Microsoft MVPs and other professionals at http://www . techsupportforum . com http://www . windowsbbs . com/ . besttechie . net/forums/" target="_blank">www . besttechie . net I am Oshwyn Report this to a Moderator Reply Quote Top Bottom Edit jhill1229 Level 1 Posts: 70 Joined: May 2004 Thursday January 19, 2006 11:12 PM New HJT and ewido posts after taking prescribed steps: Logfile of HijackThis v1 . 99 . 1 Scan saved at 9:48:03 PM, on 1/19/2006 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\csrss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe C:\Program Files\Alwil Software\Avast4\ashServ . exe C:\WINDOWS\system32\wdfmgr . exe C:\WINDOWS\System32\WLTRYSVC . EXE C:\WINDOWS\System32\bcmwltry . exe C:\WINDOWS\Explorer . EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe C:\Program Files\Alwil Software\Avast4\ashWebSv . exe C:\WINDOWS\System32\alg . exe C:\WINDOWS\system32\hkcmd . exe C:\Program Files\Synaptics\SynTP\SynTPLpr . exe C:\Program Files\Synaptics\SynTP\SynTPEnh . exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher . exe C:\Program Files\Dell\AccessDirect\dadapp . exe C:\Program Files\2Wire HomePortal Monitor\2PortalMon . exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4 . exe C:\Program Files\Microsoft AntiSpyware\gcasServ . exe C:\Program Files\iTunes\iTunesHelper . exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe C:\Program Files\Dell\QuickSet\Quickset . exe C:\Program Files\iPod\bin\iPodService . exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ . exe C:\Program Files\Digital Line Detect\DLG . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\ewido anti-malware\ewidoctrl . exe C:\Program Files\hijackthis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . espn . com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . espn . com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate . microsoft . com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr . exe O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe O4 - HKLM\ . . \Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher . exe" O4 - HKLM\ . . \Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp . exe O4 - HKLM\ . . \Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray . exe" /r O4 - HKLM\ . . \Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2PortalMon . exe O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4 . exe O4 - HKLM\ . . \Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ . exe" O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe O4 - HKLM\ . . \Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset . exe O4 - HKLM\ . . \Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 0\Apps\apdproxy . exe" O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe O4 - Global Startup: Digital Line Detect . lnk = ? O4 - Global Startup: PI Monitor . lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor . exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell . dll/SPELLOPTION . HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell . dll/SPELLCHECK . HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell . dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell . dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell . dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - . musicmatch . com/mmz/openWebRadio . html" target="_blank">wwws . musicmatch . com (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - . microsoft . com/fwlink/?linkid=36467&clcid=0x409" target="_blank">go . microsoft . com O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - . ewido . net/ewidoOnlineScan . cab" target="_blank">download . ewido . net O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - . surfernetwork . com/surferplugin . ocx" target="_blank">rd1 . surfernetwork . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . windowsupdate . microsoft . com/v5consumer/V5Controls/en/x86/client/wuweb_site . cab?1107022192971" target="_blank">v5 . windowsupdate . microsoft . com O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - . pandasoftware . com/activescan/as5free/asinst . cab" target="_blank">acs . pandasoftware . com O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - . www1 . hp . com/ewfrf-JAVA/Secure/HPGetDownloadManager . ocx" target="_blank">h17000 . www1 . hp . com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - . windowsecurity . com/trojanscan/axscan . cab" target="_blank">www . windowsecurity . com O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ . exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv . exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl . exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT . exe O23 - Service: iPodService - Apple Computer, Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC . EXE --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:00:46 PM, 1/19/2006 + Report-Checksum: F0CE67A9 + Scan result: [580] VM_034E0000 -> Downloader . Agent . uj : Error during cleaning [604] VM_00A00000 -> Downloader . Agent . uj : Error during cleaning [1208] VM_009E0000 -> Downloader . Agent . uj : Error during cleaning [880] VM_009A0000 -> Downloader . Agent . uj : Error during cleaning [360] VM_00980000 -> Downloader . Agent . uj : Error during cleaning [528] VM_00A90000 -> Downloader . Agent . uj : Error during cleaning [872] VM_00920000 -> Downloader . Agent . uj : Error during cleaning [1068] VM_00A30000 -> Downloader . Agent . uj : Error during cleaning [1916] VM_003E0000 -> Downloader . Agent . uj : Error during cleaning [1924] VM_009D0000 -> Downloader . Agent . uj : Error during cleaning [1936] VM_00E30000 -> Downloader . Agent . uj : Error during cleaning [1944] VM_009C0000 -> Downloader . Agent . uj : Error during cleaning [1188] VM_009C0000 -> Downloader . Agent . uj : Error during cleaning [1156] VM_00AB0000 -> Downloader . Agent . uj : Error during cleaning [2688] VM_00A70000 -> Downloader . Agent . uj : Error during cleaning C:\Documents and Settings\Owner\Cookies\owner@com[2] . txt -> Spyware . Cookie . Com : Cleaned with backup ::Report End Thank you for any assistance . As an additional item to report - I tried to run Panda Scan but the connection is interupted by an attempt of Win32 CTX . Thanks . |
JeffH (9656) | ||
| 422872 | 2006-01-20 20:07:00 | Disable system restore, and boot into safe mode, then run hijackthis again . Tick these entries and tick fix checked . O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - . musicmatch . com/mmz/openWebRadio . html" target="_blank">wwws . musicmatch . com (file missing) O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - . surfernetwork . com/surferplugin . ocx" target="_blank">rd1 . surfernetwork . com O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv . exe" /service (file missing) It looks like the trojan part has been removed . DOing the Ewido scan in safe mode might fix it . |
Speedy Gonzales (78) | ||
| 422873 | 2006-01-20 20:15:00 | Also get this (http://www.ccleaner.com) to clean out the temp files etc, on your system. | Speedy Gonzales (78) | ||
| 1 | |||||