Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

What about this Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

What about this Log

Unread postby vavserv » August 27th, 2007, 3:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:16 PM, on 8/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\windows\tsi32\tsircusr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\mgabg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TSIRCSRV.EXE
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\taskmgr.exe
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\LapLink Gold\laplink.exe
D:\PROGRA~1\LAPLIN~1\LLSERV~1.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=D:\WINDOWS\taskmgr.exe,
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,d:\windows\tsi32\tsircusr.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\downloaded program files\googletoolbar3.dll
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - D:\WINDOWS\system32\werwed.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\downloaded program files\googletoolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.0.5.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0899AC5C-9D0A-47A5-9C34-00A7275827D5}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B815E8F-E237-4F14-9244-116A2B946467}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{162DC8EC-039A-4FC2-A3E6-14859CF938F1}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{166C3614-C359-46E5-ADB4-8990CD2847F2}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A2F394A-8EF8-4107-BF7C-879BFF99AD23}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{457D5359-9095-4BB2-8A62-A4EFDEC93BB3}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FD6FF9B-189E-4974-968E-60F5A82D49A2}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE9B48-2DE2-41B1-B8A9-65EC6D652E38}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA59659-269E-44B5-8448-6583851C79ED}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE1D1DAA-E6A5-40FC-8E3C-4EA8CC3E1516}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{0899AC5C-9D0A-47A5-9C34-00A7275827D5}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINDOWS\System32\mgabg.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - D:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmsnb.exe

--
End of file - 6982 bytes
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm
Advertisement
Register to Remove

Unread postby random/random » August 27th, 2007, 3:59 pm

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
  • Some of out experts would like to examine the files you are infected with
  • Go to the upload page here
  • Click Browse
  • Find this file:
      C:\WINDOWS\taskmgr.exe
  • Select the file, then click Open
  • Click Send File

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby vavserv » August 27th, 2007, 8:51 pm

Username "Tom" - 2007-08-27 20:43:33 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
Service: "Windows Management Service" = D:\WINDOWS\System32\dmsnb.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.90 85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0899AC5C-9D0A-47A5-9C34-00A7275827D5}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0B815E8F-E237-4F14-9244-116A2B946467}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{162DC8EC-039A-4FC2-A3E6-14859CF938F1}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{166C3614-C359-46E5-ADB4-8990CD2847F2}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1A2F394A-8EF8-4107-BF7C-879BFF99AD23}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{457D5359-9095-4BB2-8A62-A4EFDEC93BB3}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4FD6FF9B-189E-4974-968E-60F5A82D49A2}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A4CE9B48-2DE2-41B1-B8A9-65EC6D652E38}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DCA59659-269E-44B5-8448-6583851C79ED}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FE1D1DAA-E6A5-40FC-8E3C-4EA8CC3E1516}
"nameserver"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0899AC5C-9D0A-47A5-9C34-00A7275827D5}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{162DC8EC-039A-4FC2-A3E6-14859CF938F1}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1A2F394A-8EF8-4107-BF7C-879BFF99AD23}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{457D5359-9095-4BB2-8A62-A4EFDEC93BB3}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4FD6FF9B-189E-4974-968E-60F5A82D49A2}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A4CE9B48-2DE2-41B1-B8A9-65EC6D652E38}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DCA59659-269E-44B5-8448-6583851C79ED}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FE1D1DAA-E6A5-40FC-8E3C-4EA8CC3E1516}
"DhcpNameServer"="85.255.114.90,85.255.112.92" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A2EA1A7D32DC-CCA8-FB44-7793-EF1A7EFA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E0E9B46A5611-692A-78A4-BEC1-76772AA2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "qkimd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9BFF5828C9BB-A99A-59E4-AED7-E063D635{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}785571704BF0-2F69-BCB4-33BF-98B0971B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FED46F348A02-DB7A-6164-DB11-86744847{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E33E3F027177-1299-65D4-4849-98A2AE09{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1BF7E9AD1B9F-3AB8-F814-FF24-38AC50D8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "bnsmd" Deleted
....
»»»»» Misc files.
D:\WINDOWS\system32\{B1790B89-FB33-4BCB-96F2-0FB407175587}.exe Deleted
D:\WINDOWS\system32\{74844768-11BD-4616-A7BD-20A843F64DEF}.exe Deleted
D:\WINDOWS\system32\{90EA2A89-9484-4D56-9921-771720F3E33E}.exe Deleted
D:\WINDOWS\system32\{8D05CA83-42FF-418F-8BA3-F9B1DA9E7FB1}.exe Deleted
D:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....
»»»»» Other
D:\WINDOWS\TEMP\dmsnb.ren 63069 08/29/2002

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"DeltTray"="DeltTray.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ISUSPM Startup"="D:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby vavserv » August 27th, 2007, 8:54 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:14 PM, on 8/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\mgabg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TSIRCSRV.EXE
D:\WINDOWS\system32\fxssvc.exe
d:\windows\tsi32\tsircusr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\taskmgr.exe
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=D:\WINDOWS\taskmgr.exe,
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,d:\windows\tsi32\tsircusr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:

\windows\downloaded program files\googletoolbar3.dll
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - D:\WINDOWS\system32\werwed.

dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.

ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\downloaded

program files\googletoolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -

startup
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager

.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User

'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32

\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:

\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.

tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/

installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1

\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1

\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1

\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program

Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINDOWS\System32\mgabg.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program

Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program

Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - D:\WINDOWS\System32

\TSIRCSRV.EXE

--
End of file - 4986 bytes
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby random/random » August 28th, 2007, 5:05 am

  • You have word wrap turned on, this is making your logs difficult to read
  • Run notepad
  • Goto Format and untick Word Wrap


Then post a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby vavserv » August 28th, 2007, 8:47 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:14 PM, on 8/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\mgabg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TSIRCSRV.EXE
D:\WINDOWS\system32\fxssvc.exe
d:\windows\tsi32\tsircusr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\taskmgr.exe
D:\WINDOWS\System32\DeltTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=D:\WINDOWS\taskmgr.exe,
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,d:\windows\tsi32\tsircusr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\downloaded program files\googletoolbar3.dll
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - D:\WINDOWS\system32\werwed.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\downloaded program files\googletoolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.0.5.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINDOWS\System32\mgabg.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - D:\WINDOWS\System32\TSIRCSRV.EXE

--
End of file - 4986 bytes
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby random/random » August 28th, 2007, 2:55 pm

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=D:\WINDOWS\taskmgr.exe,
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - D:\WINDOWS\system32\werwed.dll

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

D:\WINDOWS\taskmgr.exe
D:\WINDOWS\system32\werwed.dll

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Go here to run an online scannner from Kaspersky.
  • Note: You will need to use Internet explorer for this scan
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log, a new HijackThis log & a description of any remaining problems

Also, please let me know why you installed the google toolbar to d:\windows\downloaded program files
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby vavserv » August 29th, 2007, 7:52 am

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 29, 2007 7:32:13 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/08/2007
Kaspersky Anti-Virus database records: 395406


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 103976
Number of viruses found 7
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 01:52:40

Infected Object Name Virus Name Last Action
D:\WINDOWS\system32\config\system.LOG Object is locked skipped

D:\WINDOWS\system32\config\software.LOG Object is locked skipped

D:\WINDOWS\system32\config\default.LOG Object is locked skipped

D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\DEFAULT Object is locked skipped

D:\WINDOWS\system32\config\SECURITY Object is locked skipped

D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

D:\WINDOWS\system32\config\SYSTEM Object is locked skipped

D:\WINDOWS\system32\config\SAM Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

D:\WINDOWS\system32\h323log.txt Object is locked skipped

D:\WINDOWS\system32\werwea.exe Infected: Trojan.Win32.Kolweb.m skipped

D:\WINDOWS\system32\alriv.exe Infected: Trojan.Win32.DNSChanger.hd skipped

D:\WINDOWS\system32\werwed.exe Infected: Trojan.Win32.Kolweb.n skipped

D:\WINDOWS\system32\werwea_ingen.exe Infected: Trojan.Win32.Kolweb.m skipped

D:\WINDOWS\system32\werwec_ingen.exe Infected: Trojan.Win32.Kolweb.n skipped

D:\WINDOWS\system32\werwed_ingen.exe Infected: Trojan.Win32.Kolweb.n skipped

D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

D:\WINDOWS\Debug\oakley.log Object is locked skipped

D:\WINDOWS\ModemLog_Standard 2400 bps Modem.txt Object is locked skipped

D:\WINDOWS\Sti_Trace.log Object is locked skipped

D:\WINDOWS\wiaservc.log Object is locked skipped

D:\WINDOWS\wiadebug.log Object is locked skipped

D:\WINDOWS\SchedLgU.Txt Object is locked skipped

D:\WINDOWS\werwec_ingen.exe Infected: Trojan.Win32.Kolweb.n skipped

D:\WINDOWS\werwed_ingen.exe Infected: Trojan.Win32.Kolweb.n skipped

D:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

D:\Documents and Settings\Tom\NTUSER.DAT.LOG Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Temp\~fd43563.tmp Infected: Trojan.Win32.Kolweb.n skipped

D:\Documents and Settings\Tom\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Identities\{EC64A47F-F57D-4C31-88F2-CBED54E2833B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Identities\{EC64A47F-F57D-4C31-88F2-CBED54E2833B}\Microsoft\Outlook Express\cleanup.log Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Identities\{EC64A47F-F57D-4C31-88F2-CBED54E2833B}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped

D:\Documents and Settings\Tom\Local Settings\Application Data\Identities\{EC64A47F-F57D-4C31-88F2-CBED54E2833B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe/stream/data0010 Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe/stream/data0011 Infected: not-a-virus:AdWare.Win32.EZula.d skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe/stream/data0012 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe/stream/data0013 Infected: not-a-virus:AdWare.Win32.180Solutions skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions skipped

D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe NSIS: infected - 5 skipped

D:\Documents and Settings\Tom\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\Tom\ntuser.dat Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:40 AM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\mgabg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TSIRCSRV.EXE
d:\windows\tsi32\tsircusr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\System32\DeltTray.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,d:\windows\tsi32\tsircusr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\downloaded program files\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\downloaded program files\googletoolbar3.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.0.5.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINDOWS\System32\mgabg.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - D:\WINDOWS\System32\TSIRCSRV.EXE

--
End of file - 4330 bytes
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby random/random » August 29th, 2007, 11:08 am

Use windows explorer to find and delete these files:

D:\WINDOWS\system32\werwea.exe
D:\WINDOWS\system32\alriv.exe
D:\WINDOWS\system32\werwed.exe
D:\WINDOWS\system32\werwea_ingen.exe
D:\WINDOWS\system32\werwec_ingen.exe
D:\WINDOWS\system32\werwed_ingen.exe
D:\WINDOWS\werwec_ingen.exe
D:\WINDOWS\werwed_ingen.exe
D:\Documents and Settings\Tom\Local Settings\Temp\~fd43563.tmp
D:\Documents and Settings\Tom\My Documents\Downloads\Cliprexdsfree.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.


Post back with the AVG antispyware log, a new HijackThis log & let me know how your PC is running now

Also, please answer this question from my previous post:

Also, please let me know why you installed the google toolbar to d:\windows\downloaded program files
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby vavserv » August 29th, 2007, 1:44 pm

Quote:
Also, please let me know why you installed the google toolbar to d:\windows\downloaded program files

It just went there by default. (I don't think I had another choice) Should it be somewhere else?

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:43:08 PM 8/29/2007

+ Scan result:



D:\Documents and Settings\Tom\Cookies\tom@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@pinnaclesystems.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@dealnews.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@projectorcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@projectorpeople.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@e-2dj6wjny-1kd5kc.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6walyalc5clo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfk4qpd5wfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfkikgdjiao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfkogoazedp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfkosgdjaco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfkougajmgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wfkykiajibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wflickc5kbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wgkiogdjekp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6whkiald5akp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjk4sicpgaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjkoqldjmlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjkoumc5skp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjkowjajcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjkykoajgdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjloapcpobq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjloolazifp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjmyemcjkdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjmygpdpchp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@e-2dj6wjny-1kdjkh.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@ehg-aol.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@ehg-espn.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ehg-bizjournals.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ehg-sharpelectronic.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@search.live[1].txt -> TrackingCookie.Live : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@overture[1].txt -> TrackingCookie.Overture : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\WINDOWS\Cookies\thomas bordner@x10[1].txt -> TrackingCookie.X10 : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
D:\Documents and Settings\Tom\Cookies\tom@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
D:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\RECYCLED\Dd9.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\RECYCLED\Dd10.exe -> Trojan.Kolweb.m : Cleaned with backup (quarantined).
D:\RECYCLED\Dd7.exe -> Trojan.Kolweb.m : Cleaned with backup (quarantined).
D:\RECYCLED\Dd8.dll -> Trojan.Kolweb.m : Cleaned with backup (quarantined).
C:\My Documents\The WinDOwS Tricks - Part 16.htm -> Worm.Loding : Cleaned with backup (quarantined).


::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:49 PM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\mgabg.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TSIRCSRV.EXE
d:\windows\tsi32\tsircusr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\System32\DeltTray.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,d:\windows\tsi32\tsircusr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\downloaded program files\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\downloaded program files\googletoolbar3.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.0.5.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINDOWS\System32\mgabg.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - D:\WINDOWS\System32\TSIRCSRV.EXE

--
End of file - 4715 bytes
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby random/random » August 30th, 2007, 1:06 pm

Also, please let me know why you installed the google toolbar to d:\windows\downloaded program files

It just went there by default. (I don't think I had another choice) Should it be somewhere else?


It's ok to be there, I just had to be sure it wasn't amlware pretending to be the googletoolbar

You can delete the fixwareout you downloaded and the C:\fixwareout\ folder

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  1. Make sure that you keep your antivirus program updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  2. Install and use a firewall with outbound protection
    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will be much help in alerting you to programs already on your PC attempting to connect to remote servers
    I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewallor Zonealarm
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  3. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  4. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  5. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  6. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  7. Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  8. Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  9. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  10. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby vavserv » August 30th, 2007, 7:48 pm

Thank you for all your help. I have several PCs on the "net", and have learned much about keeping them clean and safe from infection.

I will share this information with all who need help and add my voice to the chorus of complaints.
vavserv
Active Member
 
Posts: 7
Joined: August 27th, 2007, 2:56 pm

Unread postby random/random » August 31st, 2007, 7:01 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware