0

this is my thread plz analieze it to get rid of shopping wizard home search assisLogfile of HijackThis v1.99.1
Scan saved at 11:21:14 م, on 19/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sm56hlpr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Webshots\WebshotsTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.07770500.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.07770500.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.07770500.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [msn] ctfmoons.exe
O4 - HKLM\..\Run: [Microsoft] Microsoft.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\RunServices: [msn] ctfmoons.exe
O4 - HKLM\..\RunServices: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D97BB2B-BF4F-436A-A433-17A8F3C32071}: NameServer = 62.140.73.1 193.227.1.1
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\ntsysman.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

tant

2
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by crunchie
0

Please go here & install ALL critical updates required for your system, including service pack 1a for both XP and IE6.
Most malware is designed to attack unpatched XP systems - exploiting the available 'holes' - and can bypass third-party protection on an unpatched system. The most that can be done with an unpatched system is put a temporary bandage on it. Your system can potentially be reinfected within minutes of cleaning it.

==

Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

===============

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

===============

Download AboutBuster 5:

http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip

Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.

Click Update. This will start updating AboutBuster with the latest definition database.

Once it's done updating and you see that dialog, click Ok.

Close AboutBuster.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

When the scan is done, click Ok.


Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

0

THANKS FOR HELP
there is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 02:59:57 م, on 26/09/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sm56hlpr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Original folders\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.07770500.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://minisearch.startnow.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [url]http://minisearch.startnow.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [msn] ctfmoons.exe
O4 - HKLM\..\Run: [Microsoft] Microsoft.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\RunServices: [msn] ctfmoons.exe
O4 - HKLM\..\RunServices: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - [url]http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab[/url]
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\ntsysman.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

and there is the scan report---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          02:51:25 م, 26/09/2005
 + Report-Checksum:     F9BC6080

 + Scan result:

    F:\Original folders\Lines Millennium\LinesMillenium_update.exe/cd_clint.dll -> Spyware.Cydoor : Ignored
    HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar\CLSID -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar\CLSID\\ -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar\CurVer -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar.1 -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Saristar.Saristar.1\CLSID\\ -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\WUSE.1 -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Comet -> Spyware.CometCursor : Cleaned with backup
    HKLM\SOFTWARE\Cydoor -> Spyware.Cydoor : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Modules -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C} -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\\Installer -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Ctx -> Spyware.HyperBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Coulomb -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Coulomb\Hardcore -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_0\Level_0\Seqn_4458 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_0\Level_0\Seqn_4459 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_0\Level_0\Seqn_4460 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_1\Level_0\Seqn_8142 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_1\Level_0\Seqn_8156 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Loct_1\Level_0\Seqn_8159 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Services -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Services\Queue -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Cydoor\Adwr_277\Services\Status -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Igor V. Gunko -> Spyware.HyperBar : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Igor V. Gunko\Hyperbar -> Spyware.HyperBar : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Igor V. Gunko\Hyperbar\Prod -> Spyware.HyperBar : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C} -> Spyware.HyperBar : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Ctx -> Spyware.HyperBar : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Netsetter -> Spyware.MarketScore : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Netsetter\CSLOA -> Spyware.MarketScore : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Netsetter\CSLOA\Settings -> Spyware.MarketScore : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Netsetter\OSSProxy -> Spyware.MarketScore : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\Netsetter\OSSProxy\Settings -> Spyware.MarketScore : Cleaned with backup
    HKU\S-1-5-21-484763869-2111687655-1343024091-1003\Software\WhenU -> Spyware.SaveNow : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
    [1380] C:\WINDOWS\System32\cd_clint.dll -> Spyware.Cydoor : Error during cleaning
    C:\WINDOWS\system32\__delete_on_reboot__cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_445900.HTM -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\Temp -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_393600.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_144000.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_393900.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_144000.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_393900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_123700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_123700.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_179900.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_1_179700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_2_174800.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_2_175000.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_2_175200.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_2_179400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_2_179600.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_297200.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_149700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_168500.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_149700.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_168500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_168800.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_174900.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_175300.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_179000.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_168800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_174900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_175300.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_179000.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_175400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_175400.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_179900.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_297900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_113700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_179700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218700.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218800.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_219000.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218700.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_219100.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_179300.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_179400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_179600.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_373000.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_274400.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_229700.GIF -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_280600.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_282600.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_451200.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_451400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_470400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_3_351400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_220100.swf -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_280200.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_295400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_352400.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_280600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_282600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_4_220100.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_266500.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_270500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_272400.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_3_221500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_3_221800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_3_314300.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_3_314700.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218900.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_281100.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_284900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_266500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_218900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_295500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_296300.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_352600.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_358200.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_359400.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_297200.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_352600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_4_358200.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\b_149300.GIF -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\b_149301.GIF -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\b_151700.GIF -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\b_151701.GIF -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_814200.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_815600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_277_1_0_815900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
    C:\WINDOWS\internt.exe -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\john samir\Local Settings\Temp\ICD1.tmp\epl.exe -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@centrport[1].txt[/email] -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@atdmt[1].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@servedby.advertising[1].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@advertising[1].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@ad.yieldmanager[2].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\john samir\Cookies\john [email]samir@www.myaffiliateprogram[2].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    F:\Original folders\Lines Millennium\LinesMillenium_update.exe/CD_Load.exe -> Spyware.Cydoor : Error during cleaning


::Report End

i think the problem isnt fixed
thank u

Edited by mike_2000_17: Fixed formatting

0

The main infection is now fixed. Let's now get the rest :).

===============

You still need to install service pack 1 for XP.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pbspx.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [msn] ctfmoons.exe
O4 - HKLM\..\Run: [Microsoft] Microsoft.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\RunServices: [msn] ctfmoons.exe
O4 - HKLM\..\RunServices: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [Microsoft] Microsoft.exe
O4 - HKCU\..\Run: [Cydoor] CD_Load.exe

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\ntsysman.exe (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\pbspx.dll
C:\WINDOWS\System32\ntsysman.exe

Search for...

syslog32.exe
ctfmoons.exe
Microsoft.exe
CD_Load.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.