Recommended Posts

Logfile of HijackThis v1.99.1

Scan saved at 5:23:25 PM, on 6/21/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\FileZilla Server\FileZilla Server.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\xampp\xampp\mysql\bin\mysqld-nt.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\dfndra.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe

C:\WINDOWS\algm.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKLM\..\Run: [newname] C:\\nwnm.exe

O4 - HKLM\..\Run: [defender] C:\\dfndra.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\ixfoctrs.dll

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\ieetppui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe" -k runservice (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe

O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\service.exe (file missing)

O23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe

Link to post
Share on other sites

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.

You've got a couple of different major infections so it may take a few steps to clean up..just follow the post as written without skipping any steps and we'll get thought it just fine.

Download Brute Force Uninstaller to your desktop

  • Unzip it to a folder of its own (C:\BFU). BFU needs to be on your root. In most cases this is C:\
    • Help with unzipping files is HERE

    [*]Right click on THIS LINK and choose save as (or save Link/Target as)

    [*]Place qoofix.bat in your C:\BFU - folder. (Important!)

    [*]Now go to the C:\BFU folder you just made

    [*]Doubleclick qooFix.bat, Close all browsers and explorer folders. even this one...!!!

    [*]Choose option 1 (Qoolfix autofix) and follow the prompts.

    [*]Please be patient, it will take about five minutes.

    [*]After the PC has restarted continue with below

Please download Ewido Security Suite, it is a free version of the program.

  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu

    [*] Launch ewido, there should now be an icon on your desktop, double-click it.

    [*] The program will now open to the main screen.

    [*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    [*] You will need to update ewido to the latest definition files:

    • On the left hand side of the main screen click update.
    • Then click on Start Update.

    [*] The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display "Update successful")

    [*] Close Ewido Security Suite

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Once the updates are installed, do the following:

  1. Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item

[*] Once in Safe Mode start Ewido Security Suite

[*] Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)

[*] Click on Complete System Scan, the scan will now begin.

[*] While the scan is in progress you will be promted to clean files, click OK.

[*] When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.

[*] Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.

[*] Click Save Report.

[*] Now save the report .txt file to your desktop.

[*] Close Ewido Security Suite

Boot back to Normal mode

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Run the program, accept statement>next>click> scan>next.

If any items are detected have blacklite don't do anything with them yet.

After reboot please post

  • Ewido log
  • a new HijackThis log
  • log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20060505134642.log.

in a reply (or replyS, it may well take more than one) to this thread. There WILL be more to do; but this is a GREAT start

Edited by jwbirdsong
Link to post
Share on other sites
First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.

You've got a couple of different major infections so it may take a few steps to clean up..just follow the post as written without skipping any steps and we'll get thought it just fine.

Download Brute Force Uninstaller to your desktop

  • Unzip it to a folder of its own (C:\BFU). BFU needs to be on your root. In most cases this is C:\
    • Help with unzipping files is HERE

    [*]Right click on THIS LINK and choose save as (or save Link/Target as)

    [*]Place qoofix.bat in your C:\BFU - folder. (Important!)

    [*]Now go to the C:\BFU folder you just made

    [*]Doubleclick qooFix.bat, Close all browsers and explorer folders. even this one...!!!

    [*]Choose option 1 (Qoolfix autofix) and follow the prompts.

    [*]Please be patient, it will take about five minutes.

    [*]After the PC has restarted continue with below

Please download Ewido Security Suite, it is a free version of the program.

  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu

    [*] Launch ewido, there should now be an icon on your desktop, double-click it.

    [*] The program will now open to the main screen.

    [*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    [*] You will need to update ewido to the latest definition files:

    • On the left hand side of the main screen click update.
    • Then click on Start Update.

    [*] The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display "Update successful")

    [*] Close Ewido Security Suite

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Once the updates are installed, do the following:

  1. Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item

[*] Once in Safe Mode start Ewido Security Suite

[*] Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)

[*] Click on Complete System Scan, the scan will now begin.

[*] While the scan is in progress you will be promted to clean files, click OK.

[*] When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.

[*] Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.

[*] Click Save Report.

[*] Now save the report .txt file to your desktop.

[*] Close Ewido Security Suite

Boot back to Normal mode

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Run the program, accept statement>next>click> scan>next.

If any items are detected have blacklite don't do anything with them yet.

After reboot please post

  • Ewido log
  • a new HijackThis log
  • log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20060505134642.log.

in a reply (or replyS, it may well take more than one) to this thread. There WILL be more to do; but this is a GREAT start

The blacklight comes up with an error when i try to install saying "F-secure Blacklight could not acquire necesssary privileges (sedebugprivilege).

-your computer setting may prevent acquiring these privileges.

-a malicious program might ahve disabled these privileges."

The ewido log is...

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 10:05:06 PM 6/21/2006

+ Scan result:

C:\WINDOWS\system32\m6820gloe6qc0.dll -> Adware.Look2Me : No action taken.

C:\WINDOWS\system32\mztrig.dll -> Adware.Look2Me : No action taken.

C:\WINDOWS\system32\nrtfxperf.dll -> Adware.Look2Me : No action taken.

C:\WINDOWS\system32\o0840alqedqe0.dll -> Adware.Look2Me : No action taken.

C:\WINDOWS\system32\rtched20.dll -> Adware.Look2Me : No action taken.

[768] C:\WINDOWS\system32\tlext.dll -> Adware.Look2Me : No action taken.

[952] C:\WINDOWS\system32\tlext.dll -> Adware.Look2Me : No action taken.

C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\ODQRCTQR\AppWrap[1].exe -> Adware.Zestyfind : No action taken.

C:\kybrd.exe -> Downloader.Adload.cf : No action taken.

C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.

C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.

C:\nwnm.exe -> Hijacker.VB.fb : No action taken.

:mozilla.201:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.

:mozilla.203:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.

:mozilla.204:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.

:mozilla.349:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.

:mozilla.350:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.

:mozilla.351:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.

:mozilla.352:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.

:mozilla.353:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.

C:\Documents and Settings\Jake\Cookies\jake@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.

:mozilla.104:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.

:mozilla.90:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.

:mozilla.98:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.

:mozilla.99:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.

:mozilla.237:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.238:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.239:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.240:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.241:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.242:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.

:mozilla.558:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Com : No action taken.

:mozilla.502:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Counted : No action taken.

:mozilla.67:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.

:mozilla.68:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.

:mozilla.69:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.

:mozilla.266:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.

:mozilla.416:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.

:mozilla.74:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.

:mozilla.75:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.

:mozilla.76:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.

:mozilla.77:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.

:mozilla.78:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Falkag : No action taken.

:mozilla.540:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\administrator@linksynergy[1].txt -> TrackingCookie.Linksynergy : No action taken.

:mozilla.150:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.151:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.152:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.153:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.281:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.282:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.345:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.346:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.522:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.

:mozilla.37:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.38:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.39:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.42:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.43:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.44:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.45:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.60:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.62:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.63:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.64:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.

:mozilla.30:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Revenue : No action taken.

:mozilla.472:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.

:mozilla.473:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.

:mozilla.474:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.

:mozilla.475:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.

:mozilla.404:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.405:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.406:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.407:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.408:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.409:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.410:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.411:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.

:mozilla.288:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.

:mozilla.289:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.

:mozilla.292:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.

:mozilla.125:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.91:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.92:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.93:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.94:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.95:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.97:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.

:mozilla.485:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Trafic : No action taken.

C:\Documents and Settings\All Users\Documents\Dads DOCS\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : No action taken.

:mozilla.23:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.24:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.25:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.26:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.27:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.28:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.29:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.31:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Sean\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.32:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

:mozilla.33:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

:mozilla.34:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

:mozilla.35:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

:mozilla.36:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\ns6hnzz5.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

The new HJT log is....

Logfile of HijackThis v1.99.1

Scan saved at 10:13:25 PM, on 6/21/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\FileZilla Server\FileZilla Server.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\xampp\xampp\mysql\bin\mysqld-nt.exe

C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\dnj4011qe.dll

O20 - Winlogon Notify: policies - C:\WINDOWS\system32\l6p2lg7o16.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\apache\bin\apache.exe" -k runservice (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe

O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Sean\Desktop\xampp\service.exe (file missing)

O23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe (file missing)

::Report end

Link to post
Share on other sites

Please download Look2Me-Destroyer to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.
Link to post
Share on other sites
Please download Look2Me-Destroyer to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

Look2Me-Destroyer V1.0.12

Scanning for infected files.....

Scan started at 6/22/2006 1:10:01 PM

Infected! C:\WINDOWS\system32\fp0m03d1e.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dll

Infected! C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dll

Infected! C:\WINDOWS\system32\fp0m03d1e.dll

Infected! C:\WINDOWS\system32\j04o0ah3ed4.dll

Infected! C:\WINDOWS\system32\uhdmxfrm.dll

Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\fp0m03d1e.dll

C:\WINDOWS\system32\fp0m03d1e.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071496.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071498.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071499.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071504.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071505.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071514.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0071544.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072551.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072552.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072553.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072554.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072555.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072557.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0072558.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073388.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073389.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073584.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dll

C:\System Volume Information\_restore{490691A7-BAA0-40C0-88B9-0F2F99DB2E60}\RP258\A0073585.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp0m03d1e.dll

C:\WINDOWS\system32\fp0m03d1e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j04o0ah3ed4.dll

C:\WINDOWS\system32\j04o0ah3ed4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uhdmxfrm.dll

C:\WINDOWS\system32\uhdmxfrm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{29647E95-3B73-4716-8EFF-3A1886CDFC26}"

HKCR\Clsid\{29647E95-3B73-4716-8EFF-3A1886CDFC26}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{13EDF38C-316C-43E3-A09A-BD78A5D0B0CD}"

HKCR\Clsid\{13EDF38C-316C-43E3-A09A-BD78A5D0B0CD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BA45171F-08CC-45F2-A35F-6AF0BFEF7640}"

HKCR\Clsid\{BA45171F-08CC-45F2-A35F-6AF0BFEF7640}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

HERE IS THE HJT LOG...

Logfile of HijackThis v1.99.1

Scan saved at 1:17:22 PM, on 6/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\xampp\apache\bin\apache.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\FileZilla Server\FileZilla Server.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\xampp\apache\bin\apache.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eifcqmp.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139889000593

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: EFTP3 Server (EFTP3Server) - Unknown owner - C:\Program Files\EFTP\EFTP3ServerService.exe (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Windows XP-SP2 FW (XP-P2FWD) - Unknown owner - C:\WINDOWS\algm.exe (file missing)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...