Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected Hijack This Log - Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected Hijack This Log - Help

Unread postby Seal8 » June 28th, 2005, 7:13 pm

Just spent the day (7 hrs) helping a friend install and run several anti spam programs, zone alarm, AVG, update of XP2, XP2 security updates, etc. Found over 300 infections, etc and hopefully got rid of most of them. This is what I have left. I'm sure there are some problems here. She had Specific911 HiJack that I tried to get rid of through Spyware Doctor and also search through the registry and deleted 4-6 more entries.
Hopefully someone could analyze this HJT log for me and adivse of next steps.
Already have gone to tools to show all hidden files, etc.

This is her log:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:53 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Utilities\Malware Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sativa\Application Data\Mozilla\Profiles\default\ure45pxv.slt\prefs.js)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm79642US
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/ ... porter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.ap ... sSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9971496046
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se ... loader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Seal8
Active Member
 
Posts: 8
Joined: June 13th, 2005, 4:36 pm
Advertisement
Register to Remove

Unread postby dobhar » June 28th, 2005, 7:30 pm

Hi Seal8...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.

If you have any questions post them back in this thread do not start another.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » June 29th, 2005, 1:26 am

Hi Sean8...

Let's get to it...
________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________

Step 1.
==========

- Download and install CCleaner (latest version is 1.20.118)
(NOTE: Do not run this program yet)

Step 2.
==========

We need to uninstall some programs using "Add or Remove Programs" in the Control Panel:
  1. Get into Control Panel.
  2. Double-click "Add or Remove Programs".
  3. Look in the Currently installed programs box for each program listed below and if it is there:
    1. Click on it to select it.
    2. Click Change (or Change/Remove) button.
    3. If you are prompted to confirm the removal of the program, click "Yes"
ViewPoint
My Search Bar
MyWay Speed Bar
My Web Search Bar
Fun Web Products Easy Installer
Smiley Central


(Note: Or anything looking similiar to the above)

Step 3.
==========

We first need to temporarily disable Microsoft Antispyware as it may interfer with our "Fixes"
- Open "Microsoft AntiSpyware"
- Click on "Options" then select "Settings"
- In left-hand window click on "Real-time Protection"
- Under "Startup Options" de-select\uncheck "Enable the Microsoft AntiSpyware Security Agents on startup (recommended)"
- Under "Real-time spyware threat protection" de-select\uncheck "Enable real-time spyware threat protection (recommended)"
- Click "Save button to save your changes
- Close Microsoft AntiSpyware
- Right-click on the "Microsoft AntiSpyware" icon on the taskbar
- Select "Shutdown Microsoft AntiSpyware"
- Click Yes at next window
(Note: After all of the fixes are complete it is very important that you enable Real-time Protection again)

Step 4.
==========

We also need to disable SpywareGuard as it also may interfer with our "Fixes"
- Open Spywareguard
- Click on Menu
- Click on File
- Exit
(Note: Don't forget to re-start SpywareGuard when your machine is clean)

Step 5.
==========

Reboot computer into "Safe Mode" Using the F8 method...
- Restart the computer
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
- Press the Enter key
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 6.
==========

We need to make sure all hidden files are showing...
- Open "My Computer"
- Click on "Tools" and from the drop down menu select "Folder Options"
- Select the "View" tab
- Under the "Hidden files and folders" heading SELECT "Show hidden files and folders"
- UNCHECK the "Hide file extensions for known types option"
- UNCHECK the "Hide protected operating system files (recommended) option"
- Click "Yes" to confirm
- Click "OK"

Step 7.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries if still listed, Double-check to make sure that only these entries are checked...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm79642US
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab


- Click the "Fix checked" button.

Step 8.
==========

Delete the following file(s) and folder(s) in BOLD only, if found (please do NOT try to find them by "search" because they will not show up that way)
C:\Program Files\Viewpoint <<<=Delete This Folder
C:\Program Files\AWS <<<=Delete This Folder
C:\Program Files\MySearch <<<=Delete This Folder

Step 9.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program I had you download earlier
- We are only going to work with the "Cleaner" section. Do not use the "Issues" section
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program

Step 10.
==========

Download, install, setup, and run Ad-aware SE 1.06 and Spybot S&D 1.4 per the instructions found here
(Note: If you already have Ad-aware and Spybot install make sure they are updated, setup per instructions in link, and re run)

Step 11.
==========

Run these Online Virus\Trojan scans...Let them fix whatever they find
TrendMicro Housecall
BitDefender On-Line Virus Scan

Step 12.
==========

- Please post back a new fresh HijackThis log
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

HJT Instructions

Unread postby Seal8 » June 30th, 2005, 10:35 am

Thanks for your detailed HJT instructions. I will be talking with her at 10:00 AM and will follow your instructions. Hopefully can get you an updated HJT log later today or tomorrow.
Thanks very much for your help!
Seal8
Active Member
 
Posts: 8
Joined: June 13th, 2005, 4:36 pm

Unread postby Seal8 » June 30th, 2005, 10:39 pm

I've run all the spyware stuff and virus programs. This is the most recent HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:29:55 PM, on 6/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect
exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Utilities\Malware
Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www
cox.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N2 - Netscape 6: user_pref("browser.search.defaultengine",
engine://C%3A%5CProgram%20Files%5CNetsc ... lugins%5CS
Web_01.src"); (C:\Documents and Settings\Sativa\Application
Data\Mozilla\Profiles\default\ure45pxv.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program
Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll
NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5
0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe
/c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5
0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
Shdocvw.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox
dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -
http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft
com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119971496046
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/se ... loader.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown
owner - C:\Program Files\Adobe\Photoshop Elements 3
0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect
(PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program
Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe<P><HR></P>No virus found in this incoming message.

In addition ran Ditdefender several times and ended up with this: Can't figure out how to get you this screen shot. In the mean time you can check this HJT out. Thanks very much!!
Seal8
Active Member
 
Posts: 8
Joined: June 13th, 2005, 4:36 pm

Dit Virus Scan

Unread postby Seal8 » June 30th, 2005, 11:34 pm

We ran the AVG virus scan and all is OK, and we ran the Trend Micros virus scan and all is OK. We have run the Dit.....virus scan several times and this is the final result and unable to fix:

C:\System Volume
Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP5\A0000384
EXE=>wise0008 Detected with...
C:\System Volume
Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP5\A0000384
EXE=>wise0008 Disinfection failed
C:\System Volume
Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP5\A0000384
EXE=>wise0008 Deleted
C:\System Volume Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP5\A0000384.EXE Update failed<P><HR></P>No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 6/30/2005
Seal8
Active Member
 
Posts: 8
Joined: June 13th, 2005, 4:36 pm

Unread postby dobhar » July 3rd, 2005, 5:02 pm

Hi Seal8...

Your log is quite clean except for 1 or 2 minor issues...

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries if still listed, Double-check to make sure that only these entries are checked...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

If you did not set these restrictions, then also select these 2 entries and have HJT "Fix" them. If you did then leave them.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


- Click the "Fix checked" button.
______________________________________
C:\System Volume
Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP5\A0000384
EXE=>wise0008 Detected with...

Don't worry about these as Step #1 of my {ALL CLEAN} speech is to clean out your old restore points and that will fix that problem.

I've added my {ALL CLEAN} speech below as once your remove the entries above your log will be clean.
______________________________________


The last thing I need you to do is to reset your "Hidden files and folders". System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion...
- Open "My Computer".
- Click on "Tools" and from the drop down menu select "Folder Options".
- Select the "View" tab.
- Under the Hidden files and folders heading UNSELECT "Show Hidden files and folders".
- CHECK the "Hide protected operating system files (recommended) option".
- Click "Yes" to confirm.
- Click "OK".
______________________________________

Your log seems clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore or Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources

  4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  10. Install IE-SPYAD - IE-SPYAD adds a list of sites and domains associated with advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. A tutorial on installing & using IE-SPYAD can be found here:
    Using IE-Spyad to enhance your privacy and security

  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help. :D
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby ChrisRLG » July 24th, 2005, 6:49 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware