Jump to content


Plz Look

Started by viperviper33, Mar 17 2006 08:16 AM

  • You cannot reply to this topic
15 replies to this topic

#1 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 08:16 AM

Logfile of HijackThis v1.99.1
Scan saved at 3:16:08 AM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp7797.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WLAN Utility.lnk = C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax3718.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: winwil32 - C:\WINDOWS\
O21 - SSODL: System - {29FE1641-29E4-44EE-A59F-FBB7E1F73E84} - mcsys.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 10:26 AM

Hi Shaine , Welcome Back :)

You have a few problems showing there so lets get started.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please Download SmitRem from HERE

Save it to your desktop,Right click on the file and extract it to it's own folder on the desktop.

Download Ewido Anti Malware from HERE

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") Exit Ewido. DO NOT scan yet.

Download Ccleaner if you do not already have it from HERE

Install Then close,

Next can you go to Jotti's malware scan site HERE

once Jotti's site opens press browse and locate this file:

C:\WINDOWS\msnappm.exe

double click the msnappm.exe file to upload the path into Jotti's site then press Submit, please copy & paste the results back if it finds any problems with the file.


Next copy this to notepad and save it to your desktop so you can still view it in safe mode.

Now reboot to Safe Mode - Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would.

Run Smitrem

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that back in your next reply

Run Ewido

Click on the Scanner button in the left menu, then click on complete system scan. When ewido finds something, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok. When the scan finishes, click on "Save Report" from the bottom of the screen and save it to your desktop and post that back in your next reply.

Run Hijack This and choose Do A System Scan then place a check next to these entries


O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp7797.tmp

O20 - Winlogon Notify: winwil32 - C:\WINDOWS\

O21 - SSODL: System - {29FE1641-29E4-44EE-A59F-FBB7E1F73E84} - mcsys.dll (file missing)


Close all open browser and other windows except for Hijack This and press the Fix Checked button


Run Ccleaner and press "Run Cleaner" then exit.

Then Reboot back to Normal Mode

You will need to reload your wallpaper after using smitrem, To change your wallpaper right click desktop and choose properties, Set the Theme to XP then goto the Desktop tab and choose your wallpaper from there.

Please post the log from Smitrem, The jotti scan results, Ewido's scan log and a new Hijack This log.

I need to go out for awhile but I will check for a response when I get back abit later

Cheers

Andy

#3 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 05:16 PM

When i am doing the jotties site thing when i click browse it willcome up and when i go to my computer it frezzes

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 05:23 PM

Try do the file scan on this site :

http://www.virustotal.com/

if it still freezes then perform the fixes and scans in safe mode then upload that file when you reboot back to normal mode. It's possibly a valid file but I just want that to be confirmed through a Virus scan site

Andy

#5 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 05:26 PM

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/17/2006
The current time is: 12:23:30.56

Running from
C:\Documents and Settings\Owner\My Documents\smit\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{553858A7-4922-4e7e-B1C1-97140C1C16EF}\InProcServer32]
@="%SystemRoot%\system32\ieframe.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 7152 'explorer.exe'
Killing PID 7152 'explorer.exe'
Killing PID 7152 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{553858A7-4922-4e7e-B1C1-97140C1C16EF}\InProcServer32]
@="%SystemRoot%\system32\ieframe.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

#6 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 05:33 PM

Looking good , one less problem to deal with :) See how Ewido performs and the file scan and then post a new Hijack This log with the Ewido results.

#7 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 05:51 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:43:12 PM, 3/17/2006
+ Report-Checksum: 112A1943

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1060284298-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1060284298-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup
C:\Program Files\NoAdware4\noadwareutils.dll -> Adware.WebRebates : Cleaned with backup
C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\blacklist.txt -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang\English.ini -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Logs -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcp71.dll -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcr71.dll -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Quarantine -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\SpyFalcon.url -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\syg.db -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\uninst.exe -> Adware.SpyFalcon : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.17\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.18\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.21\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.22\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.23\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.24\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__hp7797.tmp -> Downloader.Zlob.ir : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:48:09 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WLAN Utility.lnk = C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax3718.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



AHHHH!!! SPYFALCON is still here lol!

#8 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 06:46 PM

Hi Shaine ,

Did the file show clear at the scan site ? ,

Don't worry about Spy Falcon it will not survive this, Smitrem doesnt target Spy Falcon yet but did remove some related Trojan files :) I just wrote a fixtool to remove SpyFalcon that should make it go without a fight, Download the attached file (SpyFalconFix.zip) and save it to your dekstop

Can you check your Add/Remove screen (Start Menu > Control Panel > Add/Remove programs) for Spy Falcon and remove it, do not reboot if it asks you to,

Open the SpyFalconFix folder and double click SpyFalconFix.bat (It will only take a few seconds to run, first it removes the registry entries then unregisters the files and then removes them) when the cmd screen closes the tool has finished.

Next run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

post back the PandaScan results and we can finish the clean up

Andy

#9 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 07:13 PM

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SpyFalconFix\SpyFalconFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SpyFalconFix.zip[Process.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\Incomplete\Preview-T-224097-_live_ styles xp keygen\YSB_toolBar.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\My Documents\My Music\stylexp keygen.zip[YSB_toolBar.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\smit\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\smit\smitRem.exe[Process.exe]
Potentially unwanted tool:application/spyfalcon Not disinfected C:\Documents and Settings\Owner\Start Menu\SpyFalcon 2.0.lnk
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.050
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.025
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.076
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\My.Emo
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Adware:Adware/Paymsn Not disinfected C:\WINDOWS\msnavatarlog.exe
Adware:adware/spyfalcon Not disinfected C:\WINDOWS\system32\ginuerep.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\winsysupd71.dat
Adware:Adware/IST.ISTBar Not disinfected E:\My Documents\My Music\stylexp keygen.zip[YSB_toolBar.exe]

#10 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 08:27 PM

Hi Shaine

sorry for the delay, I had to sort a few things out, Ive put another batch script together to remove the files detected in that scan , I already attempted to remove the Spy Falcon file from system32 in the last script so if you have any more problems with that infection run the SpyFalcon fixtool in safe mode,

Download Shainefix.zip , extract and double click Shainfix.bat , again it will only take a couple of seconds to run and will remove all the files detected except these below.

As this looks like something you have installed I didnt want to include it in the script but its recommended you remove them from the system

C:\Documents and Settings\Owner\Incomplete\Preview-T-224097-_live_ styles xp keygen\YSB_toolBar.exe

C:\Documents and Settings\Owner\My Documents\My Music\stylexp keygen.zip

E:\My Documents\My Music\stylexp keygen.zip

You also have to be cautious about visiting Crack or Serial sites as they always have infected files on there and this is maybe where the problems have come from, Im certainly not going to tell you what to do on your own system but you should be very careful about running files from them sites as alot of them will contain Trojan or Virus infections and its likely they will also load password stealers or information stealing trojans so it enables them to add new serials to their lists.

Just for your info, Panda has detected my fixtool and Smitrem as a potentially unwanted tool , this is because both contain a file called process.exe but its not a problem or a threat. Process.exe is used to stop the malware files before we attempt to remove them and its very useful but if that was put on the system by malware then it can easily do the same and stop your Anti-Virus/Anti-Spyware programs or Firewall from running so thats the reason Pandascan detects them, If you are not having problems with Spy Falcon now then its fine to remove the SpyFalconFix and Smitrem folder but if it appears after a reboot run the SpyFalconFix again in safe mode before removing it.

Hows things running now Shaine ?

Andy

EDIT:Removed scripts now they have been used

#11 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 08:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:49:25 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WLAN Utility.lnk = C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.co...snmusax3718.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I Think im clean. i couldnt open programs now i can :)

#12 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 March 2006 - 09:05 PM

Good to hear :)

To help keep the machine clean in the future, I will suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via webpages.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before running them Make sure you re-enable Window Defender's Real Time Protection.

Also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware can be found here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :)

#13 OFFLINE   krit86lr

    Power Member

  • Members
  • PipPipPipPip
  • 1,958 posts
  • Gender:Female
  • Location:Missouri, USA

Posted 17 March 2006 - 09:11 PM

I am going to add one more suggestion. DSOStop2 is a must have. Download it, then click "Protect Internet Explorer", then your done. You never need to mess with it again.

Also, remember to update SpwareBlaster about once a month, and after updating click "enable all protection".

Enjoy your computer! :D
CCleaner Beginner's Guide | Winapp2.ini: Personalize Your CCleaner | DAF | Fix CCleaner Crashes | CCleaner Issues Re-appearing

#14 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 March 2006 - 09:11 PM

Thanks alot again!! I will do !!!
DO you recommend me to keep ewido?

#15 OFFLINE   krit86lr

    Power Member

  • Members
  • PipPipPipPip
  • 1,958 posts
  • Gender:Female
  • Location:Missouri, USA

Posted 17 March 2006 - 09:12 PM

View Postviperviper33, on Mar 17 2006, 03:11 PM, said:

Thanks alot again!! I will do !!!
DO you recommend me to keep ewido?
Definitely. ;)
CCleaner Beginner's Guide | Winapp2.ini: Personalize Your CCleaner | DAF | Fix CCleaner Crashes | CCleaner Issues Re-appearing

#16 OFFLINE   viperviper33

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 18 March 2006 - 06:29 AM

Thanx for all you help Every one its uo and running AOK :D
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell