Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected...STILL!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected...STILL!!!

Unread postby andre18 » February 14th, 2007, 3:02 am

ive been infected for a while now, thought id removed most of the bad stuff but since about last week its been hell 4 a while.
every time i start up the PC it takes a while for explorer.exe to load up and takes about a minute just showing my background picture.
also because my modem is switched on ( i have adsl) which it always is, after a random period of time of doing whatever (browsing mostly) my computer shows THE BLUE SCREEN OF DEATH! and i have to reset...
ive also noticed that some of my desktop icons have lost their little icon, instead replaced with the little dos box picture...

after countlessly trying my own methods to restore my computer and my sanity, i thought of switching off the modem before i start up my PC.when i do this my computer still boots up slow but doesnt switch itself to the blue screen, so i can keep the PC on, albeit without internet access.Then if i turn my modem back on and end a process called alg.exe,(which i recognised as NOT familiar to my list of processes) wait for it to reconnect to the internet(which is quite annoying) i can go on the internet again, which has allowed me to post this to you knowledgeable folks.
i dont know what to do, i know i have something, and ive scanned with
trend micro
dr webcure it
spybot
but i still dont know what i have to get rid of, id appreciate any help you could give me, thanks!!
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am
Advertisement
Register to Remove

Hijackthis!

Unread postby andre18 » February 14th, 2007, 3:04 am

heres my hijackthis log:
if you need anything else let me know...
please help!

Logfile of HijackThis v1.99.1
Scan saved at 17:21, on 07-02-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
E:\PROGRA~1\TRENDM~1\tmproxy.exe
E:\PROGRA~1\TRENDM~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\PROGRA~1\TRENDM~1\PccGuide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\cmd.exe
C:\sUBs\ComboFix.exe
C:\WINDOWS\System32\cmd.exe
C:\unzipped\hijackthis\scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Andre\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51DB4A9F-68EA-449B-A6C4-92E7554054D8}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\system32\catsrvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\tmproxy.exe
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 17th, 2007, 9:02 am

Hi andre18

Apologies that your log has been overlooked. This has probably happened because you have replied to your own post. As we look for posts with zero replies, helpers will have assumed that you are already being helped.

Your HJT log shows a number of infections and this is probably because your Windows system does not appear to have all the latest updates. If you are still looking for our help, please do the following:

1 - MGADiag
Please download MGADiag.exe from >here< to your desktop.
Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.
When the tool has finished, click the Copy button to copy the info to your clipboard.
Paste Ctrl+V the information in your next reply.

2 - HijackThis Uninstall List
Run HijackThis then click on Open the Misc Tools section
If HijackThis is still open, click on Config > Misc Tools
Click on Open Uninstall Manager...
Click on Save list...
Leave the default filename as uninstall_list.txt and save the file to your Desktop
Close HijackThis.

On your Desktop, double-click on uninstall_list.txt and Notepad will open
In Notepad, click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the uninstall list in your next reply.

3 - Check on status
After you have completed the above, please reboot and provide:
  1. the MGADiag report
  2. the uninstall_list
  3. and a new HijackThis log
Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby andre18 » February 17th, 2007, 11:16 pm

ok thanks a lot here what you asked for:

Diagnostic Report (1.7.0012.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Detailed Status: N/A
Windows Product Key: *****-*****-WTQB7-86G39-YVQRK
Windows Product Key Hash: Sb5UCIqXR7rha6mEez5hQxBsWIk=
Windows Product ID: 55285-014-8876231-21715
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: 724bc392-61e3-490d-b673-fd98d166e109
Is Admin: Yes
AutoDial: No
Registry: 0x0
WGA Version: Registered, 1.5.540.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: FCEE394C-409-80040154_025D1FF3-118-80040154
Resolution Status: N/A

Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.5.540.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Data-->
Office Status: 114 Blocked VLK 2
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-3178-80070002_FCEE394C-409-80040154_025D1FF3-118-80040154

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: E:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>724bc392-61e3-490d-b673-fd98d166e109</UGUID><Version>1.7.0012.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><PKey>*****-*****-*****-*****-YVQRK</PKey><PID>55285-014-8876231-21715</PID><PIDType>5</PIDType><SID>S-1-5-21-1214440339-1563985344-854245398</SID><SYSTEM/><BIOS/><HWID>A0603FEF01842E5F</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17558</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>



Ad-Aware SE Personal
Add/Remove Pro
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
Age of Empires III
Age of Mythology
Age of Mythology - The Titans Expansion
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Avance AC'97 Audio
BitComet 0.58
c_ronaldo screensaver
CCleaner (remove only)
Counter-Strike: Condition Zero
CUE Splitter
DivX Codec
Dungeon Siege 2
DVD Shrink 3.2
EA SPORTS online 2005
eBay.com.au - Skype 2.5
EPSON Printer Software
ES C40 C20 Problem Solver
e-tax 2006
FIFA 07
Firefox Windows Media Player XPI
FLV Player 1.3.3
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HP USB Disk Storage Format Tool
Icy Tower v1.3.1
Internet Explorer Q867801
iPod for Windows 2006-03-23
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0
Java 2 Runtime Environment Standard Edition v1.3.1_04
LimeWire PRO 4.10.3
Logitech Camera Driver
Logitech QuickCam Software
Melbourne Victory Screensaver2
Messenger Plus! Live
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Mozilla Firefox (1.5.0.9)
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
neoDVDplus
Nero Suite
NetComm NB1300 USB Network Adapter
Neverwinter Nights
Oblivion
Organizador Previsional AFP Habitat
Outlook Express Q823353
PartyPoker
Photo Collage 1.46
Photo Crop Editor 1.07
Picasa 2
PokerRoom.com (remove only)
PowerDVD
PowerISO
Pro Evolution Soccer 5
Project64 1.6
ProSavageDDR and Utilities
QuickTime
QuickTime for Windows (32-bit)
RealPlayer
Rome - Total War(TM)
S3Display
S3Gamma2
S3Info2
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
SopCast 1.0.1
Spybot - Search & Destroy 1.4
Steam
Steganos Internet Trace Destructor 6.1
The Battle for Middle-earth (tm)
The Matrix Trilogy Screensaver 0.49
Total Video Converter 3.02
Trend Micro PC-cillin Internet Security 2006
TVAnts 1.0
TVUPlayer 1.5.12
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
VIA Rhine-Family Fast Ethernet Adapter
Watchtower Library 2005 - Edición en español
Watchtower Library 2005 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Uninstall
WinRAR archiver
WinZip

Logfile of HijackThis v1.99.1
Scan saved at 14:15, on 07-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
E:\PROGRA~1\TRENDM~1\tmproxy.exe
E:\PROGRA~1\TRENDM~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Andre\My Documents\My Downloads\MGADiag.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\System32\cmd.exe
C:\unzipped\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Andre\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKLM\..\Run: [wsttrs] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [cmssdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\8Sy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51DB4A9F-68EA-449B-A6C4-92E7554054D8}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\system32\catsrvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\tmproxy.exe
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 18th, 2007, 7:54 am

Hi andre18

Unfortunately, it seems your computer has a number of infections. So that we know what infections are involved and to allow me to provide you with the most appropriate advice, please do the following:

1 - Upload Files To Jotti
I'd like to be certain about the content of some files.
Please visit this link http://virusscan.jotti.org/
Click the Browse... button
Navigate to the following file on your PC:
  • C:\Documents and Settings\Andre\Local Settings\Temp\upxdnd.exe
Click Open
Please reply back with the results from Jotti.

Please repeat the above for the following files:
  • C:\WINDOWS\8Sy.exe
  • C:\WINDOWS\Logo1_.exe
  • C:\WINDOWS\SERVICES.EXE
  • C:\WINDOWS\SVCHOST.EXE
Please reply back with the results for all five files.

Thanks
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby andre18 » February 19th, 2007, 8:46 am

i can only find Logo1_.exe i cant seem to find any of the other files even with hidden files on...so im only posting this one for now:

File: Logo1_.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 ca680147f483c95b1506d71c414b01d7
Packers detected: -

Scan taken on 19 Feb 2007 11:32:07 (GMT)
AntiVir
Found TR/Crypt.NSPM.Gen
ArcaVir
Found HLL.Viking.Ha
Avast
Found Win32:Tibs-ADO
AVG Antivirus
Found Worm/Delf.AUA
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Win32.HLLW.Gavir.54
F-Prot Antivirus
Found Possibly a new variant of W32/PWStealer.gen1
F-Secure Anti-Virus
Found Worm.Win32.Viking.ha
Fortinet
Found W32/HLLP_Philis.HA!worm
Kaspersky Anti-Virus
Found Worm.Win32.Viking.ha
NOD32
Found Win32/Viking.CH
Norman Virus Control
Found W32/NetworkWorm.NY
VirusBuster
Found novirus:Packed/NSPM
VBA32
Found MalwareScope.Backdoor.Hupigon.2
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 19th, 2007, 9:15 am

Try:
In Windows Explorer, select Tools > Folder Options > View
Set 'Hidden files and folders' to Show hidden files and folders
Untick Hide protected operating system files.
OK

Instructions can also be found >here<.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after uploading the relevant files. **
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby andre18 » February 19th, 2007, 9:17 am

yeah it was already like that....unticked and with the hidden files showing and i still cant find those files...:s
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 19th, 2007, 1:56 pm

Hi andre18

Whether these files are still on your computer or not, my suspicions are that your computer has been infected by the type of infections that allow hackers to remotely control your computer, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to appraise them of your situation.

Though the infections can be killed, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with these types of infections, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer's Operating System and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby andre18 » February 24th, 2007, 7:10 am

hey there vino rosso thanks for your help. im aware of the warnings but id still like to try and salvage the PC so i humbly ask for your help again to clean the infections...thanks :)
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 24th, 2007, 12:06 pm

No problem.

As it's been nearly a week, can you please post a fresh HijackThis log.

Thanks
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

hijack this logfile

Unread postby andre18 » February 26th, 2007, 3:04 am

Logfile of HijackThis v1.99.1
Scan saved at 18:03, on 07-02-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
E:\PROGRA~1\TRENDM~1\tmproxy.exe
E:\PROGRA~1\TRENDM~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\taskmgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\unzipped\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Andre\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKLM\..\Run: [wsttrs] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [cmssdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\8Sy.exe
O4 - HKLM\..\Run: [cmdbbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51DB4A9F-68EA-449B-A6C4-92E7554054D8}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\system32\catsrvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\tmproxy.exe
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » February 26th, 2007, 10:30 am

Hi andre18

A reminder: Can you please make sure that you reply to this thread and do not start another.

As mentioned previously, your computer has a number of bad infections. To stand the best chance of getting rid of these, all instructions should be carried out in a timely manner.

CAUTION! While I am assisting you in removing the malware from your system, please do NOT download anything other than the tools and files that I ask you to download. Do not indulge in any form of peer-to-peer file sharing. In addition, it is necessary that you stay away from all dubious sites, including MySpace, until we have finished with the clean up. Otherwise, we may be unable to remove the malware from your system.

Do NOT install Service Pack 2 for Windows until we have fully cleaned your computer.

I see in your uninstall list that you have a program called PartyPoker. This site/program has been placed on a list of IE Spyads restricted list, this basically means that it is recognised as an unsafe site.

Here are links to some poker sites regarded as safe for your reference.

* http://www.pokerstars.net/ - This is a free to use/play site.
* http://www.pokerstars.com - This is the paid for version.

===============================================================

You should print these instructions for reference as you will not have access to the internet during the fix.

1 - Remove Programs
Go to Start > Control Panel > Add/Remove Programs
If present, remove the following programs:
** Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
PartyPoker
Close the Control Panel

2 - Show hidden files
We need to show files and folders that are normally hidden.
In Windows Explorer, select Tools > Folder Options > View
Set 'Hidden files and folders' to Show hidden files and folders
Untick Hide protected operating system files.
OK
Instructions can also be found >here<.
** These files are hidden to stop something important being removed accidentally. It is advisable to hide them again after fixing your computer. **

3 - Run HijackThis Scan and Fix
Start HijackThis and click Do a system scan only
Tick the following entries, if present:
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Andre\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKLM\..\Run: [wsttrs] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [cmssdbcs] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\8Sy.exe
O4 - HKLM\..\Run: [cmdbbcs] C:\WINDOWS\SVCHOST.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe


Close all windows except HijackThis
Click Fix Checked in HijackThis.

4 - Delete suspect files/folders
Using Windows Explorer, browse for the following files/folders and delete as instructed
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:

C:\Documents and Settings\Andre\Local Settings\Temp\*.* <=== Delete ALL files in this folder, NOT the folder itself.

C:\WINDOWS\8Sy.exe <=== This file only
C:\WINDOWS\SERVICES.EXE <=== This file only ** See note below
C:\WINDOWS\SVCHOST.EXE <=== This file only ** See note below
C:\WINDOWS\WINLOGON.EXE <=== This file only ** See note below

C:\WINDOWS\uninstall\rundl132.exe <=== This file only

E:\Program Files\PartyGaming\PartyPoker <=== This folder only

NOTE: Do NOT delete the same named files in the C:\Windows\System32 folder.

5 - Clean Out Temporary Files
Download ATF Cleaner by Atribune © from >here<
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • UNtick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
6 - Scan With AVG Anti-Spyware
Download the trial version of AVG Anti-Spyware from >here< and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.
Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under How to act? click Recommended actions and select Quarantine from the menu.
You can now close AVG Anti-Spyware. Do not scan yet.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

7 - Boot to Safe Mode and Scan
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan? - Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Reboot in Normal Mode.

8 - Check on status
After you have completed the above, please reboot and provide:
  1. the AVG Anti-Spyware Scan report
  2. a new HijackThis log
  3. and a description of how your PC is behaving - what problems are you now experiencing?
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby andre18 » March 2nd, 2007, 9:46 am

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:50 07-03-02

+ Scan result:



C:\System Volume Information\_restore{F74D249B-0500-49CE-81C1-312F7746E627}\RP3\A0089376.dll -> Adware.BDSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089386.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089390.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089392.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089404.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089406.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089408.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089414.dll -> Adware.CDN : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089374.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089378.exe -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089394.sys -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089396.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\A0089412.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F74D249B-0500-49CE-81C1-312F7746E627}\RP3\A0089382.exe -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F74D249B-0500-49CE-81C1-312F7746E627}\RP3\A0089384.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F74D249B-0500-49CE-81C1-312F7746E627}\RP3\A0089410.exe -> Adware.Cdnup : Cleaned with backup (quarantined).
C:\Program Files\Perfect Codec -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1214440339-1563985344-854245398-1011\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1214440339-1563985344-854245398-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\DoctorWeb\Quarantine\NDNuninstall5_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Jenny\My Documents\My Received Files\Pics\CEDP-Stealer-Setup.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\systemm.exe -> Backdoor.Agent.alh : Cleaned with backup (quarantined).
C:\tcsafe.exe -> Downloader.Banload.ase : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cws.exe -> Downloader.Cryptic.cq : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0009.CHK -> Downloader.Small.czl : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0018.CHK -> Downloader.Small.czl : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\DRIVERS\usbue.sys -> Rootkit.Agent.dx : Cleaned with backup (quarantined).
C:\unzipped\TGB_Dual_7\devices\tbr_dll.dll -> Trojan.Gologger.d : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0003.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0005.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0007.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0023.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.045\FILE0024.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.048\FILE0002.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.048\FILE0003.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.048\FILE0004.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.050\FILE0016.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.050\FILE0023.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.054\FILE0001.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.058\FILE0008.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.058\FILE0010.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.058\FILE0013.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.058\FILE0021.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.059\FILE0001.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.059\FILE0004.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.069\FILE0000.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.069\FILE0001.CHK -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cmdbbcs.dll -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\msccrt.dll -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\WINDOWS\cmdbcs.exe -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
C:\FOUND.055\FILE0000.CHK -> Trojan.OnLineGames.im : Cleaned with backup (quarantined).
C:\FOUND.057\FILE0000.CHK -> Trojan.OnLineGames.im : Cleaned with backup (quarantined).
C:\FOUND.057\FILE0002.CHK -> Trojan.OnLineGames.im : Cleaned with backup (quarantined).
C:\FOUND.058\FILE0108.CHK -> Trojan.OnLineGames.im : Cleaned with backup (quarantined).
C:\Documents and Settings\Andre\Local Settings\Temporary Internet Files\Content.IE5\SDI3OPEJ\downma11[1].exe -> Trojan.WOW.ec : Cleaned with backup (quarantined).
C:\WINDOWS\SSF28.tmp -> Worm.Viking.ha : Cleaned with backup (quarantined).
C:\WINDOWS\uninstall\rundl132.exe -> Worm.Viking.ha : Cleaned with backup (quarantined).
C:\WINDOWS\~tmp.tmp -> Worm.Viking.ha : Cleaned with backup (quarantined).


Logfile of HijackThis v1.99.1
Scan saved at 00:40, on 07-03-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
E:\PROGRA~1\TRENDM~1\tmproxy.exe
E:\PROGRA~1\TRENDM~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\taskmgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51DB4A9F-68EA-449B-A6C4-92E7554054D8}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\system32\catsrvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\tmproxy.exe




::Report end

wow thanks a lot!
my computer seems to be ok....although my shortcuts still have the dos image and the proper little shortcut pictures dont appear, and the edges of my screen seem so be compressed on either side, making the writing appear squished, but it gradually gets normal at about one third of each side of the monitor...
so how much more infections do i have? :)
andre18
Regular Member
 
Posts: 15
Joined: November 26th, 2006, 7:55 am

Unread postby Vino Rosso » March 2nd, 2007, 12:08 pm

Hi andre18

Did you have the Task Manager open when you ran the last HijackThis scan?

Try right-clicking on the Desktop and selecting Refresh. Does that help?

Before you update your computer to SP2, we must ensure we have got rid of all infections. Please now run a Kaspersky scan as follows:

1 - Kaspersky Online Scan
With the exception of your browser, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
2 - Check on status
After you have completed the above, please provide:
  1. the Kaspersky Scan report
  2. did you have the Task Manager open when you ran the last HijackThis scan?
Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware