Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help my pc is really ill

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help my pc is really ill

Unread postby FAZ » March 7th, 2007, 12:24 am

hello ive ran spybot search an destroy & a squared free & avast antivirus an advanced windowscare V2 then i ran hijack this ill post the results below , the main problem is i keep getting something called

~http:em,gad-network

an also it keeps bringing a page up from ebay showing ipods for some reason , i wish someone would tell them i dont want one LOL :roll:


Logfile of HijackThis v1.99.1
Scan saved at 04:14:08, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shreksmobiles.co.uk/forum/search ... rchid=4193
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://shreksmobiles.co.uk/forum/search ... rchid=4193
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DeskSiteAlert] C:\Program Files\DeskSite\binex\DeskSiteAlert.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe



many thanks in advance
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER
Advertisement
Register to Remove

Unread postby beynac » March 7th, 2007, 7:19 am

Good morning FAZ.

Please download F-Secure Blacklight (blbeta.exe) from here.
  • Click I ACCEPT and download the graphical user interface version to your Desktop
  • Double click the file to run it, choose I accept the agreement then click Scan
  • It will create a log on your desktop (fsbl-xxxxxxx.log).
  • If it finds anything, do not rename any. Legitimate items can also be present.
  • Exit Blacklight
Please post the contents of the log as a reply to this thread.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 7th, 2007, 9:23 am

many thanks for your speedy reply !!

ive done that an here is the results

03/07/07 12:36:15 [Info]: BlackLight Engine 1.0.55 initialized
03/07/07 12:36:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/07/07 12:36:20 [Note]: 7019 4
03/07/07 12:36:20 [Note]: 7005 0
03/07/07 12:36:29 [Note]: 7006 0
03/07/07 12:36:29 [Note]: 7011 2696
03/07/07 12:36:30 [Note]: 7026 0
03/07/07 12:36:30 [Note]: 7026 0
03/07/07 12:36:30 [Note]: 7024 3
03/07/07 12:36:30 [Info]: Hidden process: C:\windows\system32\oeynphbuti.exe
03/07/07 12:36:40 [Note]: FSRAW library version 1.7.1021
03/07/07 12:36:42 [Info]: Hidden file: c:\sccfg.sys
03/07/07 12:36:42 [Note]: 10002 1
03/07/07 12:58:46 [Info]: Hidden file: c:\WINDOWS\system32\oeynphbuti.dat
03/07/07 12:58:46 [Note]: 10002 1
03/07/07 12:58:46 [Info]: Hidden file: C:\windows\system32\oeynphbuti.exe
03/07/07 12:58:46 [Note]: 10002 1
03/07/07 12:58:47 [Info]: Hidden file: c:\WINDOWS\system32\oeynphbuti_nav.dat
03/07/07 12:58:47 [Note]: 10002 1
03/07/07 12:58:48 [Info]: Hidden file: c:\WINDOWS\system32\oeynphbuti_navps.dat
03/07/07 12:58:48 [Note]: 10002 1
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 7th, 2007, 11:18 am

Hi FAZ.

Please run Blacklight in exactly the same way as before, but when it shows the list of the items found, please rename the following entry:

oeynphbuti.exe

Do this by selecting the filename and pressing the Rename button.
The Action column should now change from None to Rename
Then press Next, OK the warning screen and then choose Restart now and OK again.
Your computer should now reboot.

If you have any problems with this step then please stop here and let me know.

-------------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

-------------------------------------------------------------

Next download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save Link As" (Firefox) or "Save Target As" (Internet Explorer) in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy the text in the code box below into notepad and save it with the filename aftermath.bfu
Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"
Code: Select all
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oeynphbuti
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|oeynphbuti
FileDelete %SYSDIR%\oeynphbuti_navps.dat
FileDelete %SYSDIR%\oeynphbuti_nav.dat
FileDelete %SYSDIR%\oeynphbuti.dat
FileDelete %SYSDIR%\oeynphbuti.exe
FileDelete %SYSDIR%\oeynphbuti_m2s.xml
FileDelete %WINDIR%\oeynphbuti.exe-*.pf
FileDelete C:\Windows\system32\oeynphbuti.exe.ren


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Image and select EGDACCESS.bfu
  • Press Execute and let it do its job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Behind the scriptline to execute field click the folder icon Image again and this time select aftermath.bfu
  • Press Execute and let it do it’s job.
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
--------------------------------------------------------

ATF Cleaner by Atribune ©

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
Reboot the computer.

------------------------------------------------------

SmitFraudFix (by S!Ri)
  • Please download SmitFraudFix from here and save it to your Desktop.
  • Double-click on Smitfraud.exe - this will create a SmitfraudFix folder.
  • Open the folder and double-click smitfraudfix.cmd
  • Select option #1 - Search by typing 1 and press Enter - a text file will appear, which lists infected files (if present).
Do not run any of the other options at this stage.

Please copy/paste the content of the report (c:\rapport.txt) into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.

------------------------------------------------------

Please delete any Blacklight logs (fsbl-xxxxxxx.log) from your desktop and then run Blacklight again. Do not rename any items.

------------------------------------------------------

Please post, as a reply to this thread:
  • The BFU/EFD report (should be at C:\egd.txt - don't worry if it's not there)
  • The SmitFraudFix report (c:\rapport.txt)
  • The new Blacklight log (fsbl-xxxxxxx.log)
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 8th, 2007, 4:58 pm

hi an thanks here is what you asked for


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"oeynphbuti"="c:\\windows\\system32\\oeynphbuti.exe oeynphbuti"
"BootSkin Startup Jobs"="\"C:\\Program Files\\Stardock\\WinCustomize\\BootSkin\\BootSkin.exe\" /StartupJobs"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""




SmitFraudFix v2.148

Scan done at 18:35:32.09, 08/03/2007
Run from C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul farrell


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul farrell\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\PAULFA~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAULFA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




SmitFraudFix v2.148

Scan done at 18:35:32.09, 08/03/2007
Run from C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul farrell


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul farrell\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\PAULFA~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAULFA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



03/08/07 18:57:40 [Info]: BlackLight Engine 1.0.55 initialized
03/08/07 18:57:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/08/07 18:57:40 [Note]: 7019 4
03/08/07 18:57:40 [Note]: 7005 0
03/08/07 18:57:42 [Note]: 7006 0
03/08/07 18:57:42 [Note]: 7011 2136
03/08/07 18:57:42 [Note]: 7026 0
03/08/07 18:57:42 [Note]: 7026 0
03/08/07 18:57:46 [Note]: FSRAW library version 1.7.1021
03/08/07 18:57:47 [Info]: Hidden file: c:\sccfg.sys
03/08/07 18:57:47 [Note]: 10002 1



Logfile of HijackThis v1.99.1
Scan saved at 20:57:26, on 08/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shreksmobiles.co.uk/forum/search ... rchid=4193
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://shreksmobiles.co.uk/forum/search ... rchid=4193
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 8th, 2007, 6:16 pm

Hi FAZ.

Well done. That's cleared cleared some of the 'nasties'! :)

I cannot see any sign that you are using a firewall. Are you using Windows XP Firewall? If not, I suggest that you switch it on immediately. I will make some recommendations later.

Do you use a program called FolderLock, or has it been on the computer in the past? Please let me know.

-------------------------------------------------------

We need to temporarily disable Spybot S&D 'TeaTimer' as it may interfere with the fix. Please do the following:
  • Open Spybot S&D
  • Go to the Mode menu, and make sure Advanced Mode is selected
  • On the left hand side, choose Tools then Resident
  • Uncheck Resident TeaTimer and OK any prompts
After all of the fixes are complete, it is important that you enable TeaTimer again.

-------------------------------------------------------

AVG Anti-Spyware:

I see that you already have this program installed, please update it as detailed below.

  • Open AVG Anti-Spyware
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
You may need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... make sure that it says inactive or not available in the free version
  • Click the Update icon and untick the automatic update option.
  • Click the Scanner icon at the top and then click the Settings Tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------------------

You need to reboot your computer in Safe Mode for the next step. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an 'always on' connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting a menu appears.
  • Use up-arrow key to select Safe Mode and press Enter.
-------------------------------------------------------------

Open the SmitFraudFix folder on your desktop and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press 'Enter' to delete infected files.

You will be prompted : 'Registry cleaning - Do you want to clean the registry ?'; answer 'Yes' by typing Y and press 'Enter' in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer 'Yes' by typing Y and press 'Enter'.

The tool may need to restart your computer to finish the cleaning process.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt.

Reboot into Safe Mode (as above).

------------------------------------------------------------

Run ATF Cleaner by Atribune ©:
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
----------------------------------------------------

Close all open windows and then start AVG Anti-Spyware.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Reboot in Normal Mode.

------------------------------------------------------------

Open the SmitFraudFix folder again and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question 'Restore Trusted Zone ?' by typing Y and hit Enter.

-----------------------------------------------------------

Please post, as a reply to this thread:
  • The SmitFraudFix report (c:\rapport.txt)
  • The AVG Anti-Spyware report
  • A new HijackThis log
Please let me know about FolderLock.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 9th, 2007, 9:30 am

ok it took a while but here is what you have asked for

SmitFraudFix v2.148

Scan done at 9:59:07.45, 09/03/2007
Run from C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 AdNuker

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\PAULFA~1\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:11:57 09/03/2007

+ Scan result:



Nothing found.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 13:26:14, on 09/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe



yes folderlock is an application my brother installed so my son cant get into certain parts of the pc without a password

thanks again
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 9th, 2007, 9:52 am

Hi FAZ.

Good job! :) That was quite a lot to get through, but we've got there. The latest HijackThis log appears to be clean, but there's still a couple of things to do.

yes folderlock is an application my brother installed so my son cant get into certain parts of the pc without a password

That's good. It confirms that the remaining hidden file in the Blacklight report is OK.

----------------------------------------------------------

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer
---------------------------------------------------------

Kaspersky Online Scanner

Using Internet Explorer, go to: http://www.kaspersky.com/virusscanner
  • Click on Kaspersky Online Scanner
  • Click the Accept button
  • Follow the prompts to download and install the ActiveX component(s) and other software
    • If a yellow information bar appears at the top of the browser window, click on it and select Install ActiveX Control
    • If a message box appears, click on OK or Run as appropriate
  • Click Accept again (see the note below if using IE7)
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the Save as... button:
  • Save the report to your desktop (Save as type: Text document (txt))
Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

---------------------------------------------------------

Please post:
  • The Kaspersky report
  • A new HijackThis log
Please let me know how your computer is running now. Are you still getting irresistable offers on iPods? :lol:
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 9th, 2007, 2:36 pm

hi again , the computer seems to be running great there is no signs of any ipods or any other offers coming up


here is the two reports that you asked for next

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 09, 2007 6:23:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/03/2007
Kaspersky Anti-Virus database records: 279825
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 51775
Number of viruses found: 14
Number of infected objects: 54 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:02:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a16330abd0d9409d7967affbf81c3aa_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\504976c6628440c40f3fc06f12a128bc_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\619b75c121a84179689a9c95bed5a1ff_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\daee4cc9a64e723a1dc1742c51beae74_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb0b18b6c1d5cf72a5cfdd4e09186103_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f69b589dc4e85443297217d0e0ab3c20_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02262007-221313.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\paul farrell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/Alcohol120..1.9.5.4/Alcohol120_trial_1.9.5.4521.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/any dvd 6.1.0.7/SetupAnyDVD.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/Dvd Decrypter 3.5.4/SetupDVDDecrypter_3.5.4.0.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/DVD SHRINK/dvdshrink32setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/VSO...2.0.9/Crack/ConvertXtoDVD2x_GOLDCrack.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/VSO...2.0.9/vsoConvertXtoDVD2_setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar RAR: infected - 6 skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee..zip/007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee/007 Spy SoftWare SetUp.exe/data0002 Infected: not-a-virus:Monitor.Win32.007SpySoft.342 skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee..zip/007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee/007 Spy SoftWare SetUp.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.342 skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee..zip ZIP: infected - 2 skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/Alcohol120..1.9.5.4/Alcohol120_trial_1.9.5.4521.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/any dvd 6.1.0.7/SetupAnyDVD.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/Dvd Decrypter 3.5.4/SetupDVDDecrypter_3.5.4.0.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/DVD SHRINK/dvdshrink32setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/VSO...2.0.9/Crack/ConvertXtoDVD2x_GOLDCrack.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar/DVD_Pirate_Pack_collected_by-svcbadass/VSO...2.0.9/vsoConvertXtoDVD2_setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar RAR: infected - 6 skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\Alcohol120..1.9.5.4\Alcohol120_trial_1.9.5.4521.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\any dvd 6.1.0.7\SetupAnyDVD.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\Dvd Decrypter 3.5.4\SetupDVDDecrypter_3.5.4.0.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\DVD SHRINK\dvdshrink32setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\VSO...2.0.9\Crack\ConvertXtoDVD2x_GOLDCrack.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\VSO...2.0.9\vsoConvertXtoDVD2_setup.exe Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6EB40928-F40B-431E-8FB0-D909A22B287D} Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\My Documents\downloads\Full Speed Fast Internet Accelerator\FullSpeed.exe/data0000.cab/FULLSP~1.EXE Infected: Backdoor.Win32.Rbot.gen skipped
C:\Documents and Settings\paul farrell\My Documents\downloads\Full Speed Fast Internet Accelerator\FullSpeed.exe/data0000.cab Infected: Backdoor.Win32.Rbot.gen skipped
C:\Documents and Settings\paul farrell\My Documents\downloads\Full Speed Fast Internet Accelerator\FullSpeed.exe DotFix NiceProtect: infected - 2 skipped
C:\Documents and Settings\paul farrell\My Documents\downloads\uTorrent Download Speeder 16.0 [ Cracked ] - New -\uTorrent Download Speeder 16.0 [ Cracked ] - New -.exe Infected: Backdoor.Win32.Cakl.m skipped
C:\Documents and Settings\paul farrell\ntuser.dat Object is locked skipped
C:\Documents and Settings\paul farrell\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266833.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266834.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266837.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP257\A0269967.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/DialuPass/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/emailpassview/MailPassView.exe Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/Outlooker/Outlooker.exe Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/SystemTools/SAMInside/SAMInside.exe Infected: HackTool.Win32.SAMInside.23 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe 7-Zip: infected - 4 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316757.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316758.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316759.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316760.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316761.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316762.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP315\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\01dc03aa.18088.2912.190906.3.116_2_0 Object is locked skipped
C:\WINDOWS\system32\1032\dll\slots\0\boinc_lockfile Object is locked skipped
C:\WINDOWS\system32\1032\dll\slots\0\stderr.txt Object is locked skipped
C:\WINDOWS\system32\1032\dll\stderrdae.txt Object is locked skipped
C:\WINDOWS\system32\1032\dll\stdoutdae.txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.ao skipped
C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ao skipped
C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_678.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 18:24:33, on 09/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe

thanks again :)
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 9th, 2007, 8:01 pm

Hi FAZ.

There's quite a lot of infected items in the Kaspersky report. We've got some more to delete. First a question - are you running SETI@home? If so, it does not appear to be running from the normal directory. These are the lines in HijackThis:

C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe


Are you happy that this is genuine? I would appreciate any information you have about the location and the installation in general.

-------------------------------------------------------------

Show hidden System Files:
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Advanced Settings:
    • Under Hidden files and folders, select Show hidden files and folders
    • Uncheck Hide extensions for known file types
    • Uncheck Hide protected operating system files (Recommended)
  • Click Apply to All Folders
  • Click Yes to confirm
  • Click OK
------------------------------------------------------

Click on Start then My Computer, find the following files and folders (highlighted in red) and delete them, if present. Don't worry if any are missing, but please let me know..

C:\WINDOWS\system32\temp\NSIS_Install_IGB.exe <-- File
C:\Documents and Settings\paul farrell\Desktop\DVD_Pirate_Pack_collected_by-svcbadass.rar <-- File
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\007 Spy SoftWare(KeyLogger+) Plus Serial By DeeOhGee..zip <-- File
C:\Documents and Settings\paul farrell\Desktop\swamp\New Folder\DVD_Pirate_Pack_collected_by-svcbadass.rar
C:\Documents and Settings\paul farrell\My Documents\downloads\Full Speed Fast Internet Accelerator\ <-- Folder
C:\Documents and Settings\paul farrell\My Documents\downloads\uTorrent Download Speeder 16.0 [ Cracked ] - New -\ <-- Folder
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Messenger\pauljfarrell@hotmail.co.uk\Sharing Folders\jfaz258@hotmail.com\DVD_Pirate_Pack_collected_by-svcbadass\ <-- Folder

Reboot the computer.

-----------------------------------------------------------

Please re-run the Kaspersky Online Scanner (see my previous post for instructions) and post the report.

-----------------------------------------------------------

Please post, as a reply to this thread:
  • The new Kaspersky report
  • A new HijackThis log
  • An answer to my questions about SETI@home
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 12th, 2007, 5:36 pm

hi sorry it took me so long to get back to you

i dont know what seti@home is
an if these files

C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe


are not required for my pc to run then i will be happy to remove them





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 12, 2007 9:30:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/03/2007
Kaspersky Anti-Virus database records: 280901
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 54530
Number of viruses found: 11
Number of infected objects: 33 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:25:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a16330abd0d9409d7967affbf81c3aa_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\504976c6628440c40f3fc06f12a128bc_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\619b75c121a84179689a9c95bed5a1ff_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\daee4cc9a64e723a1dc1742c51beae74_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb0b18b6c1d5cf72a5cfdd4e09186103_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f69b589dc4e85443297217d0e0ab3c20_614fdec5-d90e-4f96-930f-6f10f1dc85d3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02262007-221313.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun-15-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\paul farrell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\paul farrell\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5E48B548-1FCF-486F-A8D9-96EECA8F207D} Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\History\History.IE5\MSHist012007031220070313\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\paul farrell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul farrell\ntuser.dat Object is locked skipped
C:\Documents and Settings\paul farrell\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266833.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266834.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP256\A0266837.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP257\A0269967.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/DialuPass/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/emailpassview/MailPassView.exe Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/Internet Tools/Outlooker/Outlooker.exe Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe/ROOT/~/PROGRAMS/SystemTools/SAMInside/SAMInside.exe Infected: HackTool.Win32.SAMInside.23 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316744.exe 7-Zip: infected - 4 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316757.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316758.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316759.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316760.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316761.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP275\A0316762.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP311\A0356516.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365145.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.ao skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365145.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ao skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365145.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365148.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365149.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365150.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365151.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365152.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\A0365153.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E7EB5535-6D40-4082-8BCA-E0D2DA912CA9}\RP318\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9F46F98E-C2D5-4BA4-8197-F381505A09E0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\17se04aa.25044.20384.334640.3.101_3_0 Object is locked skipped
C:\WINDOWS\system32\1032\dll\slots\0\boinc_lockfile Object is locked skipped
C:\WINDOWS\system32\1032\dll\slots\0\stderr.txt Object is locked skipped
C:\WINDOWS\system32\1032\dll\stderrdae.txt Object is locked skipped
C:\WINDOWS\system32\1032\dll\stdoutdae.txt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 21:31:34, on 12/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\1032\dll\svchost.exe
C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe


thanks again
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 12th, 2007, 7:16 pm

Hi FAZ.

I would like to do a bit of checking before we get rid of those SETI@home files. I want to know what we are dealing with and make sure that we remove this as cleanly as possible.

Submit File to Jotti

Please click on http://virusscan.jotti.org/
Use the "Browse" button and locate the following file on your computer:

C:\WINDOWS\system32\1032\dll\svchost.exe

Click the "Submit" button.
Please copy and paste the results into Notepad (to retain for posting later).

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please repeat the exercise with the following file: C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe

----------------------------------------------------------

Please open HijackThis
  • Click on the Open the Misc Tools section button
  • Click on Open Uninstall Manager...
  • Click on Save List... (towards the bottom right)
  • Save the text file to a convenient location
Please post the results of the Jotti's (or VirusTotal) scans and the HijackThis Uninstall list.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 13th, 2007, 6:53 am

here is the Jotti scan results

C:\WINDOWS\system32\1032\dll\svchost.exe

Scan taken on 13 Mar 2007 10:25:59 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\system32\1032\dll\projects\setiathome.berkeley.edu\svchost.exe

Scan taken on 13 Mar 2007 10:39:39 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

uninstall list

AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Advanced WindowsCare 2.30 Personal
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
a-squared Free 2.1
AV Voice Changer Software DIAMOND 4.0
avast! Antivirus
AVG Anti-Spyware 7.5
BootSkin
Digital Camera
Diino 4.1.0
D-Link VGA Webcam
EasyStudio PC Sync
EasyStudio PIM & File Manager
Eminem DeskSite
ffdshow (remove only)
Folder Lock
Google Earth
Google Pack Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hypnotic Effect 1.0
Icatch(IV) Camera Driver
Java(TM) SE Runtime Environment 6
Jigsaw365
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Nero OEM
NeroVision Express 2 SE
Picasa 2
PowerISO
PRIMAX Colorado 600p / 1200p 36bit English (bulid 099)
QuickTime
Registry Repair 1.7
SAMSUNG Mobile USB Modem 1.0 Software
SCRABBLE
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Spybot - Search & Destroy 1.4
SUPER © Version 2007.bld.21 (Jan 4, 2007)
SysMetrix 3.41
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VobSub v2.23 (Remove Only)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XP Smoker 4.4
XviD MPEG-4 Video Codec
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER

Unread postby beynac » March 13th, 2007, 12:19 pm

Hi FAZ.

What is SETI@home?
SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data.

It's very strange that this is on your computer without your knowledge. As I mentioned in an earlier post, it is not in its usual location. The Jotti's scans were clean so it looks as if those files are legitimate. We do not, however, know what they are being used for. So, let's get rid of it. :)

----------------------------------------------------------

Select the contents of the Code Box below, right-click and copy it, then paste into Notepad.

Code: Select all
@echo off
sc stop windowsinstaller
sc delete windowsinstaller
del beynac.bat
exit

Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: beynac.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

On the Desktop, double-click on beynac.bat. A window will open and close - this is normal.

----------------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if it's missing, but let me know):

O23 - Service: Installator Windows (windowsinstaller) - Space Sciences Laboratory - C:\WINDOWS\system32\1032\dll\svchost.exe

Close down all programs, browsers and other open windows. Make sure that only the above item is checked and then click on Fix checked.

---------------------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Click on Start then My Computer, find the following folder (highlighted in red) and delete it. Please let me know if you can't find it.

C:\WINDOWS\system32\1032\ <-- delete the whole folder.

---------------------------------------------------------------

Reboot the computer normally and then post a new HijackThis log.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby FAZ » March 18th, 2007, 3:48 pm

hi again sorry its took me so long to reply but with work an the kids ive had my work cut out .

ive got rid of that file ( 1032 )

an here is the hijack this file


Logfile of HijackThis v1.99.1
Scan saved at 19:39:20, on 18/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\paul farrell\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3514845415
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3523106859
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371420.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DeskSiteCMA - - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

i meant to ask can i put or should i put the teatimer thing back on
( spybot )

thanks
FAZ
Active Member
 
Posts: 14
Joined: March 6th, 2007, 9:03 pm
Location: MANCHESTER
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware