Hijackthis log check(RESOLVED)
-
Hijackthis log check(RESOLVED)
My computer has been having a little bit of trouble today. I did a scan launch by Microsoft and it said I had 3 threats but it couldn't clean it. I am hoping someone can help me out and see if those threats are on this log. Thanks in advance. -Brandi
Logfile of HijackThis v1.99.1
Scan saved at 11:54:32 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brandi\My Documents\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB003" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137885382375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Keep Safe Service (KSIE) - Unknown owner - C:\WINDOWS\System32\keepsafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
-
Hi,
Read about safeshare from the link below, I suggest we remove it in a bit.
http://www.bleepingcomputer.com/star....exe-7133.html
Let's do some scans and see what comes up.
http://www.kaspersky.com/virusscanner
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
o Scan Options:
- Scan Archives
- Scan Mail Bases
* Click OK
*Now under select a target to scan:
o Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.
Also I see you have Ewido, check for updates and post me a scan log from that as well please.
-
I tried downloading Kaspersky online scanner but it doesn't complete I get a Microsoft Internet Explorer message that reads "unknown error detected while checking the license for Kaspersky On-Line Scanner product"
* I do find it (Kaspersky) in my add and remove programs but cant find it anywhere else on my PC.
Safe-Share is also a name of the place that I download music from will fixing what you mentioned mess that up.
thanks
-brandi
-
I'm sure you would not be able to do music downloads but it is your choice, you read what I posted about safeshare.
Try one of these scanners:
Internet Explorer required of all scans except Ewido. Save scan logs the scanners make please and post them back here.
http://www.bitdefender.com/
www.pandasoftware.com/activescan/
Internet Explorer Required
Please run this online virus scan: ActiveScan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please and a new hijackthis log as well. Thanks.
Also be sure and do this one for sure and one of the above online scanners.
Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Post the log Ewido makes back here please.
-
Heres the Bitdefender scan log, Since I already have the Ewido Im going to update it and do the scan now.
//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Created on: 24/03/2006 13:17:36
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
Folders : 4693
Files : 174706
Archives : 3287
Packed files : 10535
Identified viruses : 39
Infected files : 47
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 41
Renamed files : 0
I/O errors : 26
Scan time : 00:44:54
Scan speed (files/sec) : 64
Virus definitions : 350225
Scan plugins : 15
Archive plugins : 42
Unpack plugins : 4
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user
Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1143227856.l og
Summary:
C:\Documents and Settings\Brandi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-19f51867.zip Infected: Trojan.Downloader.Java.Openstream.W
C:\Documents and Settings\Brandi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-19f51867.zip Disinfection failed
C:\Documents and Settings\Brandi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-19f51867.zip Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Ab scissor.url Detected: Application.Coolwwwsearch.Aff.Winshow.B
C:\Documents and Settings\Brandi\Favorites\Sites about\Ab scissor.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Broadband comparison.url Detected: Application.Coolwwwsearch.Aff.Winshow.U
C:\Documents and Settings\Brandi\Favorites\Sites about\Broadband comparison.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Credit counseling.url Detected: Application.Coolwwwsearch.Aff.Winshow.Y
C:\Documents and Settings\Brandi\Favorites\Sites about\Credit counseling.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Credit report.url Detected: Application.Coolwwwsearch.Aff.Winshow.K
C:\Documents and Settings\Brandi\Favorites\Sites about\Credit report.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Crm software.url Detected: Application.Coolwwwsearch.Aff.Winshow.N
C:\Documents and Settings\Brandi\Favorites\Sites about\Crm software.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Debt credit card.url Detected: Application.Coolwwwsearch.Aff.Winshow.C
C:\Documents and Settings\Brandi\Favorites\Sites about\Debt credit card.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Escorts.url Detected: Application.Coolwwwsearch.Aff.Winshow.G
C:\Documents and Settings\Brandi\Favorites\Sites about\Escorts.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Fha.url Detected: Application.Coolwwwsearch.Aff.Winshow.H
C:\Documents and Settings\Brandi\Favorites\Sites about\Fha.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Health insurance.url Detected: Application.Coolwwwsearch.Aff.Winshow.F
C:\Documents and Settings\Brandi\Favorites\Sites about\Health insurance.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Help desk software.url Detected: Application.Coolwwwsearch.Aff.Winshow.AB
C:\Documents and Settings\Brandi\Favorites\Sites about\Help desk software.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Insurance home.url Detected: Application.Coolwwwsearch.Aff.Winshow.A
C:\Documents and Settings\Brandi\Favorites\Sites about\Insurance home.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Loan for debt consolidation.url Detected: Application.Coolwwwsearch.Aff.Winshow.L
C:\Documents and Settings\Brandi\Favorites\Sites about\Loan for debt consolidation.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Loan for people with bad credit.url Detected: Application.Coolwwwsearch.Aff.Winshow.AA
C:\Documents and Settings\Brandi\Favorites\Sites about\Loan for people with bad credit.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Marketing email.url Detected: Application.Coolwwwsearch.Aff.Winshow.P
C:\Documents and Settings\Brandi\Favorites\Sites about\Marketing email.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Mortgage insurance.url Detected: Application.Coolwwwsearch.Aff.Winshow.S
C:\Documents and Settings\Brandi\Favorites\Sites about\Mortgage insurance.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Mortgage life insurance.url Detected: Application.Coolwwwsearch.Aff.Winshow.O
C:\Documents and Settings\Brandi\Favorites\Sites about\Mortgage life insurance.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Nevada corporations.url Detected: Application.Coolwwwsearch.Aff.Winshow.Q
C:\Documents and Settings\Brandi\Favorites\Sites about\Nevada corporations.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Online Betting Site.url Detected: Application.Coolwwwsearch.Aff.Winshow.AC
C:\Documents and Settings\Brandi\Favorites\Sites about\Online Betting Site.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Online gambling casino.url Detected: Application.Coolwwwsearch.Aff.Winshow.R
C:\Documents and Settings\Brandi\Favorites\Sites about\Online gambling casino.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Online instant loan.url Detected: Application.Coolwwwsearch.Aff.Winshow.Z
C:\Documents and Settings\Brandi\Favorites\Sites about\Online instant loan.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Order phentermine.url Detected: Application.Coolwwwsearch.Aff.Winshow.J
C:\Documents and Settings\Brandi\Favorites\Sites about\Order phentermine.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Payroll advance.url Detected: Application.Coolwwwsearch.Aff.Winshow.E
C:\Documents and Settings\Brandi\Favorites\Sites about\Payroll advance.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Personal loans online.url Detected: Application.Coolwwwsearch.Aff.Winshow.I
C:\Documents and Settings\Brandi\Favorites\Sites about\Personal loans online.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Personal loans with bad credit.url Detected: Application.Coolwwwsearch.Aff.Winshow.M
C:\Documents and Settings\Brandi\Favorites\Sites about\Personal loans with bad credit.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Prescription Drugs Rx Online.url Detected: Application.Coolwwwsearch.Aff.Winshow.AD
C:\Documents and Settings\Brandi\Favorites\Sites about\Prescription Drugs Rx Online.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Refinancing my mortgage.url Detected: Application.Coolwwwsearch.Aff.Winshow.T
C:\Documents and Settings\Brandi\Favorites\Sites about\Refinancing my mortgage.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Tahoe vacation rental.url Detected: Application.Coolwwwsearch.Aff.Winshow.V
C:\Documents and Settings\Brandi\Favorites\Sites about\Tahoe vacation rental.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Unsecured bad credit loans.url Detected: Application.Coolwwwsearch.Aff.Winshow.X
C:\Documents and Settings\Brandi\Favorites\Sites about\Unsecured bad credit loans.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\Videos.url Detected: Application.Coolwwwsearch.Aff.Winshow.W
C:\Documents and Settings\Brandi\Favorites\Sites about\Videos.url Moved
C:\Documents and Settings\Brandi\Favorites\Sites about\What is hydrocodone.url Detected: Application.Coolwwwsearch.Aff.Winshow.D
C:\Documents and Settings\Brandi\Favorites\Sites about\What is hydrocodone.url Moved
C:\Documents and Settings\Brandi\My Documents\hijackthis\backups\backup-20050909-205916-907.dll Infected: Trojan.Kolweb.D
C:\Documents and Settings\Brandi\My Documents\hijackthis\backups\backup-20050909-205916-907.dll Disinfection failed
C:\Documents and Settings\Brandi\My Documents\hijackthis\backups\backup-20050909-205916-907.dll Moved
C:\Documents and Settings\LocalService\Desktop\Nailfix.zip=>Process .exe Detected: Spyware.Processor.A
C:\Documents and Settings\LocalService\Desktop\Nailfix.zip Moved
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G3EPOZ6R\installerV5_thin[1].exe Infected: MemScan:Adware.Ncase.E
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G3EPOZ6R\installerV5_thin[1].exe Disinfection failed
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G3EPOZ6R\installerV5_thin[1].exe Moved
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll Detected: Adware.Minibug.B
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll Moved
C:\WINDOWS\desktop.ini=>:qvsqsl:$DATA Detected: Application.Coolwebsearch.A
C:\WINDOWS\dpwvnlp.exe Infected: BehavesLike:Win32.ExplorerHijack
C:\WINDOWS\dpwvnlp.exe Moved
C:\WINDOWS\Gone Fishing.bmp=>:hstcwo:$DATA Detected: Application.Coolwebsearch.A
C:\WINDOWS\n_ocwmnl.log=>:euexmg:$DATA Detected: Application.Coolwebsearch.A
C:\WINDOWS\system32\hwzp0u.dll Infected: Trojan.Kolweb.D
C:\WINDOWS\system32\hwzp0u.dll Disinfection failed
C:\WINDOWS\system32\hwzp0u.dll Moved
C:\WINDOWS\system32\hxdefdrv.sys Infected: Backdoor.Hacdef.BO
C:\WINDOWS\system32\hxdefdrv.sys Disinfection failed
C:\WINDOWS\system32\hxdefdrv.sys Moved
C:\WINDOWS\system32\keepsafe.exe Infected: Backdoor.Hacdef.BW
C:\WINDOWS\system32\keepsafe.exe Disinfection failed
C:\WINDOWS\system32\keepsafe.exe Moved
C:\WINDOWS\system32\kgt6.dll Infected: Trojan.Kolweb.D
C:\WINDOWS\system32\kgt6.dll Disinfection failed
C:\WINDOWS\system32\kgt6.dll Moved
C:\WINDOWS\Temp\installerV5_thin.exe Infected: MemScan:Adware.Ncase.E
C:\WINDOWS\Temp\installerV5_thin.exe Disinfection failed
C:\WINDOWS\Temp\installerV5_thin.exe Moved
C:\WINDOWS\Windows Update.log=>:dgcgdr:$DATA Detected: Application.Coolwebsearch.A
C:\WINDOWS\Zapotec.bmp=>:qhpxdi:$DATA Detected: Application.Coolwebsearch.A
C:\WINDOWS\_default.pif=>:vovxuv:$DATA Detected: Application.Coolwebsearch.A
-
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 4:12:26 PM, 3/24/2006
+ Report-Checksum: E5DB8353
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{00DD6309-C35E-7ACF-CE4F-6C92538A0A8D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08817655-0E34-8BCD-99FE-0596ECF04010} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{61B9FC5F-C646-B4CB-869C-F785091D313E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{61CD4FCC-2FDF-DD1C-7FC8-9C8750F1B5F9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7B91F2F8-A5DA-B07D-3C3A-9622872C3AEB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{84850937-9A02-7E55-8FA6-C522AD1E86A5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CC47DD3F-46F7-6813-D89E-37FD2658A254} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D89FEB47-489B-5DB5-8F56-21233C5B92D4} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E1C3C5B8-DB64-9214-3152-74004E9FCB93} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FE94D56A-1AD9-11E0-34F7-8455FC4F3D27} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.569:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.570:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.571:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.572:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.573:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.578:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.579:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.580:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.581:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.582:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.583:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.584:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.585:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.586:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.587:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.588:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\1d57q2ak.Brandi\cook ies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Aavalue : Cleaned with backup
:mozilla.511:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.512:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.513:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.589:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.590:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.651:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.652:C:\Documents and Settings\Brandi\Application Data\Mozilla\Firefox\Profiles\ra1q5u2i.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliab lestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
::Report End
-
HI,
Go to the link below to learn how to clear out your java cache:
http://www.java.com/en/download/help/5000020300.xml
Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
For later use in a minute
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All except cookies
Click the Empty Selected button.
=============================================
If you use Firefox Browser
Click Firefox at the top and choose: Select All except cookiesl
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
=============================================
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
=============================================
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Now run CWShredder and click on fix
Now run ATF Cleaner
Reboot normal mode and post me a new hijackthis log and feed back on how your computer is behaving now. Thanks.
-
Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:44 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brandi\My Documents\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB003" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137885382375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Keep Safe Service (KSIE) - Unknown owner - C:\WINDOWS\System32\keepsafe.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
thanks, brandi
-
Hi,
Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.
Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find Keep Safe Service (KSIE).
Click once on the service to highlight it.
Click Stop
Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
Next:
Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Keep Safe Service (KSIE) and press OK. OK any prompts, close HijackThis, and restart your computer.
Run hijackthis and click on scan button and put a check next to this if still present:
R3 - Default URLSearchHook is missing
O23 - Service: Keep Safe Service (KSIE) - Unknown owner - C:\WINDOWS\System32\keepsafe.exe (file missing)
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete if present:
C:\WINDOWS\System32\keepsafe.exe < file
I take it you are going to keep safe share.
How is your computer running now?
-
Here is the newest scan: Computer is on good behavior now! My mouse is freezing on me, but I think I just need a new one though. Thanks for helping me. -brandi
Logfile of HijackThis v1.99.1
Scan saved at 12:31:06 AM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Brandi\My Documents\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA JA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB003" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137885382375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
