View Full Version : viruses help please
hello, i have just found that i have a virus in 4 files on my pc which cannot be healed by AVG, it tell's me "Potentially harmfull program PsKill. PsKILL.EXE.Windows\restore.ins\c\oemcust\tools\win 32\pskill.exe. infected archive, this appears twice and also RESTORE.INS\windows\restore.ins appears twice with same threat, it says it is infected embedded object.
I am not sure what to do with this, i have disabled system restore, scanned,but cannot access the actual file called PsKILL.EXE. i can get RESTORE.INS up which the file is contained but don't know if i can just delete this or not? is this a legit windows file? or is it mean't to appear that way? I have learn't abit about pc's since i last came on the forum but i am no expert by any means, so i hope you might be able to help...thanx in advance...del
classicsoftware
10-24-2005, 10:22 PM
You need to burn your restore points. Do an online virus scan. Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
thankyou for advice classic, have done this and here is the report;---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 13:20:53, 25/10/2005
+ Report-Checksum: A7993F9F
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Ignored
HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Ignored
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Ignored
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Ignored
HKLM\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Ignored
HKLM\SOFTWARE\FocusInteractive\Outlook\\MyWebSearc h.OutlookAddin -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Ignored
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/WinAdCtlX.dll\\.Owner -> Spyware.WinFavorites : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/WinAdCtlX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Ignored
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Ignored
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Ignored
HKU\S-1-5-21-3400999329-779532043-2469168551-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Ignored
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Ignored
C:\Documents and Settings\Packard Bell User\Cookies\packard bell user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Packard Bell User\Cookies\packard bell user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Packard Bell User\Cookies\packard bell user@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Ignored
C:\Documents and Settings\Packard Bell User\Local Settings\Temp\Cookies\packard bell user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Packard Bell User\Local Settings\Temp\jkill.exe -> Spyware.VX2 : Ignored
C:\Documents and Settings\Packard Bell User\Local Settings\Temp\THI3DA0.tmp\localNRD.dll -> Spyware.BiSpy : Ignored
C:\Documents and Settings\Packard Bell User\Start Menu\Programs\WhenU -> Spyware.SaveNow : Ignored
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch : Ignored
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch : Ignored
C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP2\A0000002.dll -> Spyware.BiSpy : Ignored
C:\WINDOWS\bbchk.exe -> Spyware.BargainBuddy : Ignored
C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy : Ignored
::Report End
I think kazaa is still haunting me,...del
Budfred
10-25-2005, 03:42 PM
The rate of false positives on Ewido has dropped off dramatically and those items all look like they need to be fixed... Go ahead and let Ewido fix them...
thankyou, i have removed above files with ewido, just a thought, should i have system restore disabled to remove totally?
i have scanned again with AVG and still have the PsKILL.exe,(other on-line scan house-call has not picked them up,) i do not know how i can remove this virus, my son downloaded Bearshare recently when i was on holiday, do you think this could have caused it? i scan almost daily so this must be a newly installed virus....del
Budfred
10-25-2005, 10:34 PM
I think that was what classicsoftware was trying to say... You haven't said what your OS is, but if it is XP, here are the instructions:
Turn off System Restore
To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.
Turn on System Restore
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
After you finish all of that, it would be a good idea to post a HijackThis log as well:
To run HJT, extract it to a permanent folder such as one
you create like C:\HJT. Close all open windows and
browsers and make sure that all programs are enabled if
you use msconfig. Run it and Scan, then Save the log.
When the log window appears, Right click to Copy it, open
your browser and come here to Paste the entire log. Do
not make any changes until it is checked since most items
are either benign or essential to the computer.
http://www.downloads.subratam.org/hijackthis.zip
thanx Budfred, sorry forgot to say os is xp home edition, i have done hjt log, your help will be greatly apprieciated:Logfile of HijackThis v1.99.1
Scan saved at 22:41:05, on 26/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\Program Files\Common Files\Teknum Systems\updsvc.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: Thumbs.db
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c10.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122573293812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
thanx..del
Budfred
10-26-2005, 10:51 PM
The main thing you have here is MyWebSearch which is from Ask Jeeves... They insist that it is not malware, but a lot of experts insist that it installs without permission and is intrusive.... Some components are classified as malware and some are not... I will list those separately and you can decide if you want to fix them or not... I would fix them all if they showed up on my machine...
Open an HJT scan and put checks by:
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c10.cab
This is the optional part:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
This is supposed to be a legit file, but I don't know why it would be in Startup... I would fix it too:
O4 - Startup: Thumbs.db
Close all open windows except HJT and press Fix checked....
See if you can remove MyWebSearch in Add/Remove Programs or find and delete this folder if you can't:
C:\Program Files\MyWebSearch
Reboot and post a fresh log with an update on how things are going... We may need to do a deeper scan or two...
thanx Budfred, have fixed almost all of what you advised, 04 - startup:Thumbs.db, could not do this said i have to do it in taskmanager and cannot see it, i have deleted the program file: mywebsearch, although i can still see this in registry:HKLM\SOFTWARE\MYWEBSEARCH, there is also a kazaa folder in there too, good news from my point of view is no viruses found today after fixes and shutdown, here is new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 11:31:37, on 27/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\hjt\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - Startup: Thumbs.db
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122573293812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
thankyou..del
Budfred
10-27-2005, 08:35 AM
You may be able to clean out the last of those Registry entries with an Ewido scan in Safe Mode or with CCleaner in Safe Mode....
http://www.ccleaner.com/
That thumbs.db file worries me a bit... Are you still having any problems?? If it still shows in the HJT log in Safe Mode, I would try fixing it again and see if it works... It seems to be the only suspicious item there now... If you can't kill it:
Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...
http://www.mwti.net/products/mwav/mwav.asp
It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...
ok, have run hjt in safe mode and 04-startup.thumbs.db was not there, but once i started up as normal, there it was again, scanned with ewido in safe mode 5 more infections, have done MWAV scan and now i definately need some help, will post info have tried to make as short as possible
=> File C:\WINDOWS\System32\service.exe infected b
y "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
=> File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken.
System found infected with funweb Spyware/Adware ({00a6faf6-072e-44cf-8957-5838f569a31d})! Action taken: No Action Taken.
System found infected with funweb Spyware/Adware ({0f8ecf4f-3646-4c3a-8881-8e138ffcaf70})! Action taken: No Action Taken.
System found infected with funweb Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: No Action Taken.
System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
System found infected with kazaa Spyware/Adware ({66fc8717-efa7-4546-8c4a-e224f3a80c76})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({7473d292-b7bb-4f24-ae82-7e2ce94bb6a9})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({938aa51a-996c-4884-98ce-80dd16a5c9da})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({9ff05104-b030-46fc-94b8-81276e4e27df})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({adb01e81-3c79-4272-a0f1-7b2be7a782dc})! Action taken: No Action Taken.
System found infected with funweb Spyware/Adware ({b813095c-81c0-4e40-aa14-67520372b987})! Action taken: No Action Taken.
System found infected with funweb Spyware/Adware ({c9d7be3e-141a-4c85-8cd6-32461f3df2c7})! Action taken: No Action Taken.
System found infected with funweb Spyware/Adware ({cff4ce82-3aa2-451f-9b77-7165605fb835})! Action taken: No Action Taken.
System found infected with bearshare Spyware/Adware ({5f95e1af-2620-4f15-bdf9-7fdce4607e17})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({07b18ea0-a523-4961-b6bb-170de4475cca})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({29d67d3c-509a-4544-903f-c8c1b8236554})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({8e6f1830-9607-4440-8530-13be7c4b1d14})! Action taken: No Action Taken.
System found infected with bearshare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({e47caee0-deea-464a-9326-3f2801535a4d})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({f42228fb-e84e-479e-b922-fbbd096e792c})! Action taken: No Action Taken.
System found infected with myway Spyware/Adware ({0494d0d4-f8e0-41ad-92a3-14154ece70ac})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({07b18eaa-a523-4961-b6bb-170de4475cca})! Action taken: No Action Taken.
System found infected with mywebsearch Spyware/Adware ({63d0ed2b-b45b-4458-8b3b-60c69bbbd83c})! Action taken: No Action Taken.
Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uni nstall\bearshare !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Will make into 2 posts
Offending Key found: HKCU\appevents\eventlabels\bearsharechatnotifymsg !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKCU\appevents\schemes\apps\bearshare !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\magnet\handlers\bearshare !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\bearshare !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\focusinteractive !!!
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\fun web products !!!
Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\funwebproducts !!!
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\kazaa !!!
Object "kazaa Spyware/Adware" found in File System! Action Taken:no Offending Key found: HKLM\Software\myway !!!
Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\Software\mywebsearch !!!
Object "mwsoemon Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKCU\Software\funwebproducts !!!
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKCU\Software\kazaa !!!
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKCU\Software\mywebsearch !!!
Object "mwsoemon Spyware/Adware" found in File System! Action Taken:
Offending Key found: HKLM\software\microsoft\office\word\addins\mywebse arch.outlookaddin !!!
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Key found: HKLM\software\microsoft\office\outlook\addins\mywe bsearch.outlookaddin !!!
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!!
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending file found: C:\WINDOWS\smdat32a.sys
System found infected with altnet Spyware/Adware (smdat32a.sys)! Action taken: No Action Taken.
Offending Folder found: C:\WINDOWS\DOWNLO~1\conflict.1
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending file found: C:\WINDOWS\System32\ide21201.vxd
System found infected with windupdate Spyware/Adware (ide21201.vxd)! Action taken: No Action Taken.
Offending Folder found: C:\Program Files\bearshare
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Folder found: C:\Program Files\funwebproducts
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending Folder found: C:\Program Files\windows adcontrol
Object "winad Spyware/Adware" found in File System! Action Taken: No Action Taken.
Offending file found: C:\DOCUME~1\PACKAR~1\LOCALS~1\Temp\iadhide3.dll
System found infected with whenu.savenow Spyware/Adware (iadhide3.dll)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Application Data\kontiki\kdx\cache\player.html
System found infected with clipgenie Spyware/Adware (player.html)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Desktop\bearshare.lnk
System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\help.chm
System found infected with vx2 Spyware/Adware (help.chm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\lang.dll
System found infected with attune Spyware/Adware (lang.dll)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\My Documents\e-bay guard\toolbarsetup.exe
System found infected with findit quick browseraid Spyware/Adware (toolbarsetup.exe)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temp\iadhide3.dll
System found infected with whenu.savenow Spyware/Adware (iadhide3.dll)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temp\temporary internet files\content.ie5\gw6wvp9f\global[1].js
System found infected with redv Spyware/Adware (global[1].js)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\0xyz4567\index[1].html
System found infected with whenu.savenow Spyware/Adware (index[1].html)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\3pnzm4lg\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\85abcdef\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\99lzea7u\pop[1].htm
System found infected with whenu.savenow Spyware/Adware (pop[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\otybgx2b\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\temporary internet files\content.ie5\otybgx2b\show_ads[2].js
System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\0xyz4567\index[1].html
System found infected with whenu.savenow Spyware/Adware (index[1].html)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\3pnzm4lg\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\85abcdef\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\99lzea7u\pop[1].htm
System found infected with whenu.savenow Spyware/Adware (pop[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\otybgx2b\ads[1].htm
System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\Local Settings\Temporary Internet Files\content.ie5\otybgx2b\show_ads[2].js
System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\All Users\Start Menu\Programs\bearshare.lnk
System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\All Users\Start Menu\programs\bearshare.lnk
System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
Offending file found: C:\Documents and Settings\Packard Bell User\My Documents\e-bay guard\toolbarsetup.exe
System found infected with findit quick browseraid Spyware/Adware (toolbarsetup.exe)! Action taken: No Action Taken.
There is then a list off errors created in registry caused by the adware, will post if you want, i will definately uninstall bearshare, but advice needed, sorry this is so long...del
Budfred
10-27-2005, 10:11 PM
Is that the MWavScan?? If so, which part?? Remember we only need the part from the bottom window in the main scan window and we actually only need items that start with "File"...
And yes, uninstalling BearShare is a good idea...
oh, sorry, is this what you wanted:
Thu Oct 27 22:35:54 2005 => Total Objects Scanned: 26244
Thu Oct 27 22:35:54 2005 => Total Virus(es) Found: 72
Thu Oct 27 22:35:54 2005 => Total Disinfected Files: 0
Thu Oct 27 22:35:54 2005 => Total Files Renamed: 0
Thu Oct 27 22:35:54 2005 => Total Deleted Objects: 0
Thu Oct 27 22:35:54 2005 => Total Errors: 104
Thu Oct 27 22:35:54 2005 => Time Elapsed: 00:05:58
Thu Oct 27 22:35:54 2005 => Virus Database Date: 2005/10/21
Thu Oct 27 22:35:54 2005 => Virus Database Count: 155382
Thu Oct 27 22:35:54 2005 => Scan Completed.
I thought it was the items it found you wanted, i have removed bearshare, including registry keys, so hopefully thats gone, mywebsearch is still active, and it also found old infection i had, system32\service.exe it is not active in task manager, or visable in the registry, but still in the windows folder, i have not really had any problems with pc, just had a couple of error messages like programs not responding on shutdown, thanx for the help Budfred, sorry about the above posts...del
Budfred
10-27-2005, 10:45 PM
Nope, that isn't it either... It may be that you don't have any items beginning with File, but they would be in that lower window if you did...
How do you know that MyWebSearch is still active?? It isn't showing in the log...
If you still have garbage there, we will need to do a SilentRunners log....
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
when i did a hjt log not long ago when i 1st switched on 08-extra-content...MYWEB was there, so thought it was. the MWAV log is huge, what i posted was the infected or invalid files or registry parts, i removed the date to try to make shorter, will do as you advise tomorrow need bed now 3am work at 8,
thankyou again
Budfred
10-28-2005, 12:09 AM
I missed the O8 and I suspect it is dead, but fix it with HJT to make sure...
hi, have to make too posts, log is too long. here is the silentrunners log:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Update Service" = "C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup" ["Teknum Systems AS"]
"EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SiS KHooker" = "C:\WINDOWS\System32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"eBayToolbar" = "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" ["eBay"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD}\(Default) = "eBay Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll" [null data]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A0752120-6D75-D111-B5B1-0800095A2318}" = "HandyBits EasyCrypto Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = "eBay Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Packard Bell User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Packard Bell User" & "All Users" startup folders:
-------------------------------------------------------------------
C:\Documents and Settings\Packard Bell User\Start Menu\Programs\Startup
INFECTION WARNING! "Thumbs.db" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"blueyonder Instant Support Tool" -> shortcut to: "C:\Program Files\blueyonder IST\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = "eBay Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll" [null data]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\ = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\ = "My Web Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1D49B7D4-524D-4AC9-BC34-B4822CAE4BB1}\
"ButtonText" = "Packard Bell"
"Script" = "C:\Apps\IECustom\script.htm" [null data]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
SmartLinkService, SLService, "slserv.exe" [" "]
Virtual CD v4 Security service (SDK - Version), VCSSecS, "C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe" ["H+H Software GmbH"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 77 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 36 seconds.
---------- (total run time: 170 seconds)
sorry again about the long posts, your advice apprieciated..del :)
Budfred
10-28-2005, 11:11 PM
It appears that the reference to thumbs.db is here:
C:\Documents and Settings\Packard Bell User\Start Menu\Programs\Startup
INFECTION WARNING! "Thumbs.db" [null data]
Go there and remove it...
Do you recognize this??
EasyCryptoMenu "C:\WINDOWS\System32\tsseCryp.dll"
If you are comfortable working in the Registry, it might be a good idea to remove these:
HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\ = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\ = "My Web Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
If not, I will get help writing a Registry fix batch...
Those are the only problems I see here...
hi, thanx Bufred, i have found and deleted startup\thumbs and not showing in hjt log anymore, i do not know what the easycryto is, have tried to google it, but mixed messages there, some say legit windows file some say adaware or virus.
can i just delete the files in the registry for mysearch and kazaa? Also there is a file that has been picked up by ewido :service.exe that pcguide helped my with before, this was or is a virus, it is located C:\windows\system32\service. it is a hidden file and does not say microsoft corporation in the details like the others do, should i leave this alone?
I am using AVG, ad-aware6.0, ewido, hjt and ccleaner, would any of these programs conflict with each other?
Thankyou so much for the help, sorry if i have asked a lot of questions, you guy's are great!!!...del
Budfred
10-30-2005, 08:43 PM
hi, thanx Bufred, i have found and deleted startup\thumbs and not showing in hjt log anymore, i do not know what the easycryto is, have tried to google it, but mixed messages there, some say legit windows file some say adaware or virus.
can i just delete the files in the registry for mysearch and kazaa? Also there is a file that has been picked up by ewido :service.exe that pcguide helped my with before, this was or is a virus, it is located C:\windows\system32\service. it is a hidden file and does not say microsoft corporation in the details like the others do, should i leave this alone?
I am using AVG, ad-aware6.0, ewido, hjt and ccleaner, would any of these programs conflict with each other?
Thankyou so much for the help, sorry if i have asked a lot of questions, you guy's are great!!!...del
If you are comfortable editing the Registry, you can find and delete the references to Kazaa and MyWebSearch... Make sure you back it up first in case something goes wrong... A broken Registry means that your computer may not even be able to boot...
I am afraid I don't know what you are talking about with that service.exe file... Where are you saying that it doesn't say it in MS in the details?? Please don't assume I understand what you see in front of you... If you don't give me details, I can't sort out where you are seeing this info...
If you don't recognize this, I would suggest seeing if you can remove it in Add/Remove Programs and find/kill the file if it isn't removable... The program is EasyCryptoMenu and this is the file to kill:
C:\WINDOWS\System32\tsseCryp.dll
The programs you mention should not conflict with each other... HJT and CCleaner are only run as needed... Ewido or Ad-Aware are only on if you have the paid versions or run a scan... AVG is the only one that actually runs in resident mode... Once we get you more cleaned up, I will give you more ideas for protection programs...
hi, ihave removed the items in the registry that you advised me to do in your last but 1 post, i think for now i will leave the others alone, i have done different scans in safe mode and normal and every thing is fine, no alerts, i think hjt log is ok:
Logfile of HijackThis v1.99.1
Scan saved at 20:45:56, on 30/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3 _12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122573293812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Packard Bell User\Desktop\my shared folder\ewido\security suite\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
it was the MWAV that said about the file service.exe, not ewido sorry,
Thu Oct 27 21:43:26 2005 => Scanning File C:\WINDOWS\System32\service.exe
Thu Oct 27 21:43:26 2005 => File C:\WINDOWS\System32\service.exe infected by "Backdoor.Win32.Rbot.
do you think this is a possible problem?
thanx..del
classicsoftware
10-30-2005, 09:47 PM
Also there is a file that has been picked up by ewido :service.exe that pcguide helped my with before, this was or is a virus, it is located C:\windows\system32\service. it is a hidden file and does not say microsoft corporation in the details like the others do, should i leave this alone?
I think it is a baddie: Look here (http://www.castlecops.com/StartupList.html)
Budfred
10-30-2005, 10:45 PM
Your HJT log looks okay...
Run another MWavScan and see if that file continues to appear... If it does, it is probably a good idea to find it and kill it... Then run MWav again to see if it shows up again... Post results here...
I am not sure what you are saying you removed from the Registry... Also, did you do anything with EasyCryptoMenu?? If you didn't install it, it could have been added by a trojan to assist in controlling your system and possibly even locking you out...
vBulletin v3.6.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.