|
Home Forum Radio Memberlist Help Search Quick Links | |
| Forum Index » Internet » Spyware / Virus Removal » Help Please |
| Spyware / Virus Removal Spyware, virus, browser hijack and other malware removal. |
 |
 |
|
Thread Tools | Display Modes |  |
|
#1
08-01-2005, 07:48 PM
|
|||
|
|||
|
ok ive ordered and ran Xoftspy...... downloaded and ran all of these ad-aware ewido and about everything else i can find my hijack is
Logfile of HijackThis v1.99.1 Scan saved at 6:46:06 PM, on 8/1/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnca.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\fg\My Documents\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\ycomp5_5 _7_0.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\a4zb1dg.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\ycomp5_5 _7_0.dll O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjlnbn.exe reg_run O4 - HKLM\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k O4 - HKCU\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {78AB15BF-0C99-4E52-87C9-5201394749EF} - http://install.mycleanerpc.com/distid/4810...mycleanerpc.exe O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe please help |
 Posted |
|
#2
08-01-2005, 07:57 PM
|
||||
|
||||
|
Welcome.
At this point please rescan once again and insert a check next to each of the following, then close all browser windows and click "fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\a4zb1dg.dll O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjlnbn.exe reg_run O4 - HKLM\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k O4 - HKCU\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k Now set the system to show hidden files and folders: http://www.cyberanswers.org/forum/index.ph...ge&pg=showfiles Open windows explorer, locate then right click and delete each of the following files C:\WINDOWS\System32\jjlnbn.exe C:\WINDOWS\System32\59k7gl.exe navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Download: eScans mwav (freeware) http://www.mwti.net/antivirus/free_utilities.asp • Once installed • Double-click it to run it, select: all local drives • Scan all files, press Scan • When completed, anything suspicious found will be displayed in the lower pane. • Highlight it, (lower pane) press CTRL + C keys • Reply to your Topic, right-click and paste it in your next reply. |
|
#3
08-01-2005, 08:18 PM
|
|||
|
|||
|
File C:\WINDOWS\System32\ddwshsd.dll infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nnc a.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\jjlnbn.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnca.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "CWS.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\oscan8.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\xscan53.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\Downloaded Program Files\Play365.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\DDMI.VXD". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\DDMI2.sys". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\ddrawex.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\DLPT2.sys". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\DLPT2.VXD". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\qdiagh.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mo duleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleU sage\C:\WINDOWS\SYSTEM\quartz.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DBMSSHRN.DLL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM32\FINDFAST.CPL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_950.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\JETERR40.CHM". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\VFPODBC.TXT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DRVVFP.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DRVVFP.CNT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCJET.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCJET.CNT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCINST.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCINST.CNT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSORCL32.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSOracle32Readme.txt". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSORCL32.CNT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLSRDME.TXT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLSOLDB.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLSODBC.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLOLEDB.TXT". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CLICONF.HLP". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSRPJT40.DLL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_949.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1255.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1253.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_936.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_874.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_28591.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_932.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_21866.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1258.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1257.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1256.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1252.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1251.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1250.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_1254.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CP_20866.NLS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\System32\Drivers\I82930.SYS". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Iosubsys\nerocd95.vxd". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-dan.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-cht.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nld.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fra.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ita.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-kor.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nor.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptg.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-rus.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esp.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-sve.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fin.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptb.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-chs.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-plk.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-csy.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-sky.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-slv.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-hun.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-tha.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-trk.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ell.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esl.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Csy.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Dan.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ell.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esl.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fin.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Hun.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nor.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Plk.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptb.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Rus.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Sky.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Slv.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Sve.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Tha.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Trk.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_chs.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_cht.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_deu.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_esl.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_esp.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_fra.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_ita.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_jpn.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_kor.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_nld.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_ptg.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_sve.chm". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DLPT2.VXD". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DDMI.VXD". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "c:\windows\system\iosubsys\Cdralvsd.vxd". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "c:\windows\system\iosubsys\Cdr4vsd.vxd". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "c:\windows\system\iosubsys\Acbhlpr.vxd". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YDropper.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\xscan53.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\myCleanerPC\DNRProject.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\oscan8.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00020344-0000-0000-C000-000000000046}" refers to invalid object "mapisrvr.exe". Action Taken: No Action Taken. Entry "HKCR\CLSID\{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" refers to invalid object "C:\Program Files\Trend Micro\Tmas\sshook.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{05949835-5FDA-11D1-84C8-0060970E9689}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{094814A2-7208-11d3-B30A-444553540001}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12ddca87-df4b-41d4-0011-3eab98be3fa0}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1677bd28-d0d8-11d2-83b5-00c04f8edcc4}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{20291AC1-5931-11d2-A521-00A0D10129C0}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{20291AC2-5931-11D2-A521-00A0D10129C0}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2EADFE65-C751-11D1-A636-0000E8DB1EA2}" refers to invalid object "atipdaxx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3528fe36-bc6f-415f-892f-29980e4af3e0}" refers to invalid object "C:\WINDOWS\System32\uuvks.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{72556741-56FD-45A8-93DA-EE5EE41B908A}" refers to invalid object "C:\Program Files\myCleanerPC\DNRProject.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{76B53EF2-4ACC-404c-B869-3878120C3A68}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A175B891-3967-4554-8FBE-D2E1D9CD6E09}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AE94BD95-408C-4506-BA90-2FAACB173927}" refers to invalid object "C:\Program Files\myCleanerPC\DNRProject.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{BF8A3DA8-C7D2-11D1-8BBB-0020AFBABD89}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D92319FA-0975-11D3-83D0-00C04F8EDCC4}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{e0aad25a-7b62-41cc-6e00-628eb87db1d8}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{e7bbd05f-5263-46c0-690f-6087b07eb6d2}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E8C2EE14-CAA0-11d2-B3FC-00C04F6EA46A}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E8C2EE18-CAA0-11D2-B3FC-00C04F6EA46A}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F0E43942-136F-11D3-86B1-0060970E9689}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F30973B1-DD06-4885-8C39-EE3CED95061F}" refers to invalid object "C:\Program Files\myCleanerPC\DNRProject.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken. Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken. Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken. Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken. Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. File C:\WINDOWS\23haei.sys infected by "Trojan.Win32.Kolweb.b" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\jjkaa.dll infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\ddwshsd.dll infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\59k7gl.exe infected by "Trojan.Win32.Kolweb.b" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\23haei.sys infected by "Trojan.Win32.Kolweb.b" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\ppyuk.dat infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\WINDOWS\System32\bbqamab.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus! Action Taken: No Action Taken. File C:\DOCUME~1\fg\LOCALS~1\Temp\23haei.sys infected by "Trojan.Win32.Kolweb.b" Virus! Action Taken: No Action Taken. sux i payed for Xostspy and its still messed up thanx for the help |
|
#4
08-01-2005, 08:20 PM
|
|||
|
|||
|
and my new Hijack file is
Logfile of HijackThis v1.99.1 Scan saved at 7:19:46 PM, on 8/1/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnca.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\fg\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\ycomp5_5 _7_0.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\ycomp5_5 _7_0.dll O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjlnbn.exe reg_run O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe |
|
#5
08-01-2005, 08:25 PM
|
|||
|
|||
|
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjlnbn.exe reg_run
got rid of this now also missed it ooops sorry and thanx again |
|
#6
08-01-2005, 09:38 PM
|
||||
|
||||
|
Ok im back again . Sorry for the delay. Ill review the log and be back in five..
|
|
#7
08-01-2005, 09:43 PM
|
||||
|
||||
|
You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click Update * Then click on Start Update The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update ewido. http://www.ewido.net/en/download/updates/ Then boot to safe mode. Then,, open Ewido. * Click on scanner * Click on Complete System Scan and the scan will begin. * While the scan is in progress you will be prompted to clean files, click OK * When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop. Now close ewido security suite. Then Close all windows and fix the following with hijackthis: O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\a4zb1dg.dll O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjlnbn.exe reg_run O4 - HKLM\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k O4 - HKCU\..\RunOnce: [59k7gl.exe] C:\WINDOWS\System32\59k7gl.exe /k |
|
#8
08-01-2005, 09:46 PM
|
|||
|
|||
|
already did twice.....and it keeps finding alot but ill try again BRB
|
|
#9
08-01-2005, 10:10 PM
|
|||
|
|||
|
ewido security suite - Scan report
--------------------------------------------------------- + Created on: 9:07:13 PM, 8/1/2005 + Report-Checksum: DFE6BAB7 + Scan result: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup C:\WINDOWS\SYSTEM32\jjlnbn.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\WINDOWS\SYSTEM32\ddwshsd.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\WINDOWS\SYSTEM32\jjkaa.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\WINDOWS\SYSTEM32\bbqamab.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnca.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\Documents and Settings\fg\Cookies\fg@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\fg\Cookies\fg@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\fg\Cookies\fg@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\Documents and Settings\fg\Cookies\fg@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup C:\Documents and Settings\fg\Cookies\fg@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.8:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.9:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.11:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.12:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.23:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.26:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.28:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.29:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.30:C:\Documents and Settings\fg\Application Data\Netscape\NSB\Profiles\6bndasmp.default\cookie s.txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\System Volume Information\_restore{6ED319A6-F17D-44CC-82DB-83CD9EB01969}\RP111\A0006449.exe -> Trojan.Delf.cf : Cleaned with backup C:\System Volume Information\_restore{6ED319A6-F17D-44CC-82DB-83CD9EB01969}\RP111\A0006451.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\System Volume Information\_restore{6ED319A6-F17D-44CC-82DB-83CD9EB01969}\RP111\A0006452.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup C:\System Volume Information\_restore{6ED319A6-F17D-44CC-82DB-83CD9EB01969}\RP111\A0006453.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup ::Report End |
|
#10
08-01-2005, 10:14 PM
|
||||
|
||||
|
Ok so now lets flush the restore points:
Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore on all Drives. Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created. ---------------------------------------- Download Tract qoo.zip http://forums.net-integration.net/index.ph...=post&id=153912 Extract the VBS file run it and post the txt that will open |
It appears you have not yet registered with our community
which limits what you can do & see. It's Free To register, please click here.
