Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My hijackthis log

Unread postby guyver » November 19th, 2006, 1:23 am

i use Nod32 and spybot and adware and am still crapped out lol

plz help, thnx

Logfile of HijackThis v1.99.1
Scan saved at 11:23:38 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Stefan0\LOCALS~1\Temp\Rar$EX00.328\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\8.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\8.bin\mwsoemon.exe
O4 - HKCU\..\Run: [PCTV4Me] "C:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\CROSOF~1\spool32.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@C:+Documents and Settings+Stefan0+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Stefan0\Desktop\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am
Advertisement
Register to Remove

Unread postby guyver » November 19th, 2006, 2:26 am

ooops forget to say my problem...

my computer lately has generally been slow, and my internet seems to crap out and die, leaving me unable to browse untill it comes back...

thnx
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby guyver » November 19th, 2006, 1:49 pm

is there any thing wrong with my pc?

plz help im such a nub :oops:

thnx
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby Linkmaster » November 19th, 2006, 2:52 pm

Hi guyver, Welcome to MalWare Removal !!

You may wish to print out a copy of these instructions to follow while you complete this procedure

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a folder on your C:\ and give it a name (example:HJT), move HijackThis.exe to that folder.

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download and Install AVG Anti-Spyware© by Grisoft

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

MyWebSearch (or similar)

Do Not reboot if it asks
When finished uninstalling close Control Panel

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

Reboot to Normal Mode

Run Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot, run HijackThis and post a fresh HijackThis Log, the AVG Anti-Spyware Log, and the Kaspersky Virus Scan Log here

Thank You !!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby guyver » November 19th, 2006, 4:08 pm

WOW! thnx Linkmaster!

ill do that right now :D
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby guyver » November 19th, 2006, 6:19 pm

that took me a while lol

heres the logs.

Logfile of HijackThis v1.99.1
Scan saved at 4:15:49 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTV4Me] "C:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FAH@C:+Documents and Settings+Stefan0+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Stefan0\Desktop\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
-------------------------------------------------------------------------------
AVG LOG * i did a scan with this in the mornin and it found over 200 threats, thats why it didnt find anything

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:19:59 PM 11/19/2006

+ Scan result:



Nothing found.


::Report end
-------------------------------------------------------------------------------------
KASPERSKY

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 19, 2006 4:10:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 242933
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 35913
Number of viruses found: 14
Number of infected objects: 57 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:28:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11192006-131406.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\cert8.db Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\history.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\key3.db Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\parent.lock Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Stefan0\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Stefan0\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\Working\database_240C_C271_CC2_3E14\dfsr.db Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\Working\database_240C_C271_CC2_3E14\fsr.log Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\Working\database_240C_C271_CC2_3E14\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Messenger\guyver2k5@gmail.com\SharingMetadata\Working\database_240C_C271_CC2_3E14\tmp.edb Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5E325561-BE63-4BFA-B245-B9B5A8E9F300} Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Windows Live Contacts\guyver2k5@gmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Microsoft\Windows Live Contacts\guyver2k5@gmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Application Data\Mozilla\Firefox\Profiles\hxbfcbrf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\History\History.IE5\MSHist012006111920061120\index.dat Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Temp\~DF1E52.tmp Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Temp\~DF1E5D.tmp Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Temp\~DFC47.tmp Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Temp\~DFCB8.tmp Object is locked skipped
C:\Documents and Settings\Stefan0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stefan0\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stefan0\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\cache\FND1.NFI/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\cache\FND1.NFI/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\cache\FND1.NFI NSIS: infected - 2 skipped
C:\Program Files\ESET\cache\FND1.NFI PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\1LP2MUDA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Program Files\ESET\infected\1N1HUOCA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\1N1HUOCA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\1N1HUOCA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\1N1HUOCA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\2LHF4XDA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\2LHF4XDA.NQF/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.ev skipped
C:\Program Files\ESET\infected\2LHF4XDA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\2LHF4XDA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\2LHF4XDA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\infected\5RZJK3DA.NQF Infected: Trojan-Downloader.Win32.PurityScan.du skipped
C:\Program Files\ESET\infected\AK3H2MCA.NQF/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\Program Files\ESET\infected\AK3H2MCA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\AK3H2MCA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\BDOJT3CA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\BDOJT3CA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\BDOJT3CA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\BDOJT3CA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\CFS345CA.NQF Infected: not-virus:Hoax.Win32.Renos.dw skipped
C:\Program Files\ESET\infected\JJ4IJTAA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\JJ4IJTAA.NQF/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped
C:\Program Files\ESET\infected\JJ4IJTAA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\JJ4IJTAA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\JJ4IJTAA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF NSIS: infected - 4 skipped
C:\Program Files\ESET\infected\JUDC1OBA.NQF PE-Crypt.XorPE: infected - 4 skipped
C:\Program Files\ESET\infected\NH3BGICA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\NH3BGICA.NQF/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped
C:\Program Files\ESET\infected\NH3BGICA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\NH3BGICA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\NH3BGICA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\infected\OIU4JPDA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\OIU4JPDA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\OIU4JPDA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\OIU4JPDA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\VTFLVEDA.NQF Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Program Files\ESET\infected\VVXEFNCA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\VVXEFNCA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\VVXEFNCA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\VVXEFNCA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\W0WIGHBA.NQF/stream/data0001 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\ESET\infected\W0WIGHBA.NQF/stream/data0015 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Program Files\ESET\infected\W0WIGHBA.NQF/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Program Files\ESET\infected\W0WIGHBA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\W0WIGHBA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\infected\W3SOHEBA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\ESET\infected\W3SOHEBA.NQF/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\ESET\infected\W3SOHEBA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\W3SOHEBA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DF050851-E878-4DD5-BDCC-2D5000E21A88}\RP311\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9981.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby Linkmaster » November 20th, 2006, 3:39 pm

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O20 - Winlogon Notify: winbue32 - C:\WINDOWS\

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Download and Unzip The Avenger© by Swandog46 to your desktop
Copy the entire contents inside the following Quote box to your Clipboard :

files to delete:
C:\WINDOWS\winbue32.dll
C:\WINDOWS\SYSTEM32\winbue32.dll


Run The Avenger
Double click the Avenger icon on your desktop
Under Script file to execute choose Input Script Manually
Click on the Magnifying Glass icon which will open a new window titled View/edit script
Paste the text you just copied to clipboard into this window by pressing Ctrl+V
Click Done
Now click on the Green Light to begin execution of the script
Answer Yes twice when prompted.
The Avenger will automatically do the following :

•Restart your computer (In cases where the code to execute contains Drivers to Unload, The Avenger will actually restart your system twice)
•On reboot, it will briefly open a black command window on your desktop, this is normal.
•After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
•The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip

Post a fresh HijackThis log along with the contents of the c:\avenger.txt file here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby guyver » November 20th, 2006, 4:52 pm

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\crhbhphr

*******************

Script file located at: \??\C:\WINDOWS\cftnycfx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\winbue32.dll not found!
Deletion of file C:\WINDOWS\winbue32.dll failed!

Could not process line:
C:\WINDOWS\winbue32.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\winbue32.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\winbue32.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\winbue32.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:51:43 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTV4Me] "C:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FAH@C:+Documents and Settings+Stefan0+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Stefan0\Desktop\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby Linkmaster » November 20th, 2006, 6:19 pm

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZB

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

Post a fresh Hijackthis log here

How is your system running now ??
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby guyver » November 20th, 2006, 6:38 pm

Logfile of HijackThis v1.99.1
Scan saved at 4:35:48 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTV4Me] "C:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FAH@C:+Documents and Settings+Stefan0+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Stefan0\Desktop\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

seems to be the same. 999 ping and such
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby Linkmaster » November 20th, 2006, 6:43 pm

seems to be the same. 999 ping and such


Not sure what you mean ?? :?

Can you elaborate for me please ??
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby guyver » November 20th, 2006, 6:47 pm

internet still goes in and out...whenever im browsing...
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby guyver » November 20th, 2006, 6:48 pm

and when playing games online my ping is 999 and it wasnt like that a week ago...and i called my internet provider and they said they changed nothing.
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am

Unread postby Linkmaster » November 20th, 2006, 8:49 pm

If you did not intentionally installed this (FAH504-Console.exe) please follow these instructions :

Go to Start, Run, type in services.msc then hit OK
Find and Double click on : (if present)

FAH@C:+FAH504-Console.exe and click on Stop in the Service Status section

In the Startup type section click the down arrow and select Disable
Select Apply and OK close services

Run HiJackThis
Click on "None of the above, just start the program" (if this pops up)
Now, click on the "Config" button (bottom right)
Click on "Misc Tools"
Then click on "Delete an NT Service" a window will pop up
Enter the below item into that field (copy and paste): (if present)

FAH@C:+FAH504-Console.exe

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES

Post a fresh HijackThis log here and let me know how your system is running ?
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby guyver » November 21st, 2006, 2:54 am

Logfile of HijackThis v1.99.1
Scan saved at 12:50:55 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

its still the same as b4:(, wow this must be messed up...
guyver
Regular Member
 
Posts: 23
Joined: November 19th, 2006, 1:19 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware