Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis.log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijackthis.log

Unread postby smiggy » September 12th, 2007, 3:17 pm

hey im new here, im not experiencing any major problems that i can see but someone better could take a look

im using zoneAlarm and AVG, the only problems i have are the computer ages to log in to my account(about 15mins) and the interent takes a good 5mins to load up after clickeing it

hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:26, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner 2\Application Data\SopCast\adv\SopAdver.exe
C:\Documents and Settings\owner 2\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{E866FDA1-C08F-4A82-99EC-9089EBEAF197}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{9E665785-D1C1-4F14-994B-88060765C736}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8494 bytes

thank you!
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm
Advertisement
Register to Remove

Unread postby Scotty » September 12th, 2007, 3:58 pm

Hi! Welcome to the MWR forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


Please be patient as my posts to you have to be checked before I reply, so they make take longer.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Rename HijackThis
There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Please rename hijackthis.exe to hello.exe

Now scan again and post a new log, please.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 12th, 2007, 4:19 pm

ok first list here

Ad-Aware 2007
Adobe Acrobat 4.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
AppCore
Apple Software Update
AV
AVG Anti-Spyware 7.5
Azureus Vuze
Bluetooth Stack for Windows by Sitecom Europe
Brother MFL-Pro Suite
ccCommon
ConvertXtoDVD 2.1.14.223
Digimax Master
Digimax S800
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Driving Test Complete
HijackThis 2.0.2
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterActual Player
Internet Worm Protection
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 1.70
LiveUpdate 3.1 (Symantec Corporation)
MagicDisc 2.5.74
MagicISO v5.3.0.229
MailFrontier Desktop
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Internet Explorer Administration Kit 5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Resource Kit
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
neroxml
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
NVIDIA Drivers
PaperPort
PeerGuardian 2.0
PowerISO
RecordNow Update Manager
S3Gamma2
S3Info2
S3Overlay
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Shockwave
Sierra Utilities
Simple Installer - Multilanguage Version
Sony Ericsson PC Suite 1.20.237
SopCast 1.0.1
SPBBC 32bit
Spybot - Search & Destroy 1.4
Studio 8
StyleXP (remove only)
Symantec
Symantec Technical Support Web Controls
SymNet
Tetris
Ulead Photo Express 3.0 SE
Update for Windows XP (KB933360)
VideoLAN VLC media player 0.8.6b
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinPcap 4.0
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar
ZoneAlarm Security Suite

new log here

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:14, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner 2\Application Data\SopCast\adv\SopAdver.exe
C:\Documents and Settings\owner 2\Desktop\HiJackThis(2)\hello.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{E866FDA1-C08F-4A82-99EC-9089EBEAF197}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{9E665785-D1C1-4F14-994B-88060765C736}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8503 bytes
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Scotty » September 15th, 2007, 5:38 am

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis og.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 16th, 2007, 9:01 am

having problems with the kaspersky online scan. when it tries to install activeX it fails saying the IE security needs to be on medium oand i need administrative rights, i have both set and its still not working?
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Scotty » September 16th, 2007, 3:16 pm

Hi smiggy

Download Superantispyware (SAS) free home version.

SAS Free

Install it and double-click the icon on your desktop to run it.
� It will ask if you want to update the program definitions, click Yes.
� Under Configuration and Preferences, click the Preferences button.
� Click the Scanning Control tab.
� Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
� On the main screen, under Scan for Harmful Software click Scan your computer.
� On the left check C:\Fixed Drive.
� On the right, under Complete Scan, choose Perform Complete Scan.
� Click Next to start the scan. Please be patient while it scans your computer.
� After the scan is complete a summary box will appear. Click OK.
� Make sure everything in the white box has a check next to it, then click Next.
� It will quarantine what it found and if it asks if you want to reboot, click Yes.
� To retrieve the removal information for me please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything in the notepad, then right-click and choose copy.

� Click close and close again to exit the program.
� Please paste that information here for me with a new HijackThis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 18th, 2007, 1:12 pm

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2007 at 02:39 AM

Application Version : 3.9.1008

Core Rules Database Version : 3307
Trace Rules Database Version: 1313

Scan type : Complete Scan
Total Scan Time : 05:50:31

Memory items scanned : 175
Memory threats detected : 0
Registry items scanned : 7434
Registry threats detected : 103
File items scanned : 167524
File threats detected : 178

Adware.Tracking Cookie
C:\Documents and Settings\owner 2\Cookies\owner_2@adbrite[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ad.scanmedios[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ads.adbrite[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@media.adrevolver[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ehg-bskyb.hitbox[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@msnportal.112.2o7[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ad.adition[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@stats.powergen.co[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@cpvfeed[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@2o7[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ehg-globalgamingleague.hitbox[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@ehg.hitbox[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@media.funpic[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@metacafe.122.2o7[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@surfaccuracy[2].txt
C:\Documents and Settings\jess\Cookies\jess@2.adbrite[1].txt
C:\Documents and Settings\jess\Cookies\jess@4.adbrite[2].txt
C:\Documents and Settings\jess\Cookies\jess@ad-indicator[1].txt
C:\Documents and Settings\jess\Cookies\jess@ad.uk.tangozebra[1].txt
C:\Documents and Settings\jess\Cookies\jess@ad.uk.tangozebra[2].txt
C:\Documents and Settings\jess\Cookies\jess@ad.yieldmanager[1].txt
C:\Documents and Settings\jess\Cookies\jess@ad.zanox[1].txt
C:\Documents and Settings\jess\Cookies\jess@adbrite[1].txt
C:\Documents and Settings\jess\Cookies\jess@adopt.euroclick[2].txt
C:\Documents and Settings\jess\Cookies\jess@adrevenue[1].txt
C:\Documents and Settings\jess\Cookies\jess@ads.adbrite[2].txt
C:\Documents and Settings\jess\Cookies\jess@ads.e-planning[1].txt
C:\Documents and Settings\jess\Cookies\jess@ads.itv[2].txt
C:\Documents and Settings\jess\Cookies\jess@adserver.weakgame[2].txt
C:\Documents and Settings\jess\Cookies\jess@adtech[2].txt
C:\Documents and
C:\Documents and Settings\jess\Cookies\jess@advert.runescape[1].txt
C:\Documents and Settings\jess\Cookies\jess@atdmt[2].txt
C:\Documents and Settings\jess\Cookies\jess@bizrate.co[2].txt
C:\Documents and Settings\jess\Cookies\jess@bs.serving-sys[2].txt
C:\Documents and Settings\jess\Cookies\jess@casalemedia[2].txt
C:\Documents and Settings\jess\Cookies\jess@click.cashengines[1].txt
C:\Documents and Settings\jess\Cookies\jess@divx.adbureau[2].txt
C:\Documents and Settings\jess\Cookies\jess@eas.apm.emediate[2].txt
C:\Documents and Settings\jess\Cookies\jess@ehg-rodale.hitbox[1].txt
C:\Documents and Settings\jess\Cookies\jess@flixbanner.imesh[2].txt
C:\Documents and Settings\jess\Cookies\jess@go.winantispyware[1].txt
C:\Documents and Settings\jess\Cookies\jess@go.winantispyware[3].txt
C:\Documents and Settings\jess\Cookies\jess@go.winantivirus[1].txt
C:\Documents and Settings\jess\Cookies\jess@go.winantivirus[3].txt
C:\Documents and Settings\jess\Cookies\jess@gtmedia.us.intellitxt[1].txt
C:\Documents and Settings\jess\Cookies\jess@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\jess\Cookies\jess@hitbox[2].txt
C:\Documents and Settings\jess\Cookies\jess@imrworldwide[2].txt
C:\Documents and Settings\jess\Cookies\jess@imrworldwide[3].txt
C:\Documents and Settings\jess\Cookies\jess@interclick[1].txt
C:\Documents and Settings\jess\Cookies\jess@kanoodle[2].txt
C:\Documents and Settings\jess\Cookies\jess@media.licenseacquisition[2].txt
C:\Documents and Settings\jess\Cookies\jess@mediatraffic[2].txt
C:\Documents and Settings\jess\Cookies\jess@rb4.worldsex[2].txt
C:\Documents and Settings\jess\Cookies\jess@roiservice[1].txt
C:\Documents and Settings\jess\Cookies\jess@server.cpmstar[1].txt
C:\Documents and Settings\jess\Cookies\jess@serving-sys[2].txt
C:\Documents and Settings\jess\Cookies\jess@specificclick[2].txt
C:\Documents and Settings\jess\Cookies\jess@statcounter[2].txt
C:\Documents and Settings\jess\Cookies\jess@stats.channel4[1].txt
C:\Documents and Settings\jess\Cookies\jess@surfaccuracy[2].txt
C:\Documents and
C:\Documents and Settings\jess\Cookies\jess@teensdefloration[2].txt
C:\Documents and Settings\jess\Cookies\jess@toplist[1].txt
C:\Documents and Settings\jess\Cookies\jess@track.searchignite[1].txt
C:\Documents and Settings\jess\Cookies\jess@tracker.roitesting[2].txt
C:\Documents and Settings\jess\Cookies\jess@tripod.lycos[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.0stats[2].txt
C:\Documents and Settings\jess\Cookies\jess@www.3pintracking[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.bravia-advert[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.clash-media[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.clubteenpix[2].txt
C:\Documents and Settings\jess\Cookies\jess@www.googleadservices[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.googleadservices[2].txt
C:\Documents and Settings\jess\Cookies\jess@www.jackpotmadness[1].txt
C:\Documents and Settings\jess\Cookies\jess@www.teenswishes[2].txt
C:\Documents and Settings\jess\Cookies\jess@www.xxx69[1].txt
C:\Documents and Settings\jess\Cookies\jess@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlogix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adorigin[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.channel4[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.specificpop[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.tripod.lycos.co[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.uknetguide.co[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.x10[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.akqa[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.anm.co[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bizrate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@c2.gostats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@centrica.usertracking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@commission-junction[2].txt
C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-hitent.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-sonypictures.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@etype.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@focalex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gostats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hg1.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hotlog[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediamgr.ugo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediatrack.revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media[4].txt
C:\Documents and Settings\Owner\Cookies\owner@okcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexlist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@usertrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adlogix[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.commission-junction[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dgm2[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.qksrv[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@adecn[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@adrevenue[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@flixbanner.imesh[2].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@keywordmax[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@netmediagroup[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@toplist[1].txt
C:\Documents and Settings\owner 2\Cookies\owner_2@tracking.summitmedia.co[1].txt
C:\Documents and Settings\owner 2\Local Settings\Temp\Cookies\owner 2@surfaccuracy[2].txt

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Trojan.MalwareWipe
C:\Documents and Settings\owner 2\Start Menu\Programs\Malware-Wiped\Malware-Wiped 5.2 Website.lnk
C:\Documents and Settings\owner 2\Start Menu\Programs\Malware-Wiped\Malware-Wiped 5.2.lnk
C:\Documents and Settings\owner 2\Start Menu\Programs\Malware-Wiped\Uninstall Malware-Wiped 5.2.lnk
C:\Documents and Settings\owner 2\Start Menu\Programs\Malware-Wiped
C:\Documents and Settings\owner 2\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware-Wiped 5.2.lnk
C:\Documents and Settings\owner 2\Start Menu\Malware-Wiped 5.2.lnk

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-3456833437-288330390-3410507503-1012\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Trojan.Media-Codec
HKU\S-1-5-21-3456833437-288330390-3410507503-1012\Software\Internet Security

Adware.180solutions/Seekmo
HKCR\HostIE.Bho
HKCR\HostIE.Bho\CLSID
HKCR\HostIE.Bho\CurVer
HKCR\HostIE.Bho.1
HKCR\HostIE.Bho.1\CLSID
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}\1.0
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}\1.0\0
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}\1.0\0\win32
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}\1.0\FLAGS
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}\1.0\HELPDIR
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C}
HKU\S-1-5-21-3456833437-288330390-3410507503-1012\Software\Microsoft\Internet Explorer\Explorer Bars\{93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C}

Adware.Zango Toolbar/Hb
HKCR\CoreSrv.CoreServices
HKCR\CoreSrv.CoreServices\CLSID
HKCR\CoreSrv.CoreServices\CurVer
HKCR\CoreSrv.CoreServices.1
HKCR\CoreSrv.CoreServices.1\CLSID
HKCR\CoreSrv.LfgAx
HKCR\CoreSrv.LfgAx\CLSID
HKCR\CoreSrv.LfgAx\CurVer
HKCR\CoreSrv.LfgAx.1
HKCR\CoreSrv.LfgAx.1\CLSID
HKCR\HBMain.CommBand
HKCR\HBMain.CommBand\CLSID
HKCR\HBMain.CommBand\CurVer
HKCR\HBMain.CommBand.1
HKCR\HBMain.CommBand.1\CLSID
HKCR\hbr.HbMain
HKCR\hbr.HbMain\CLSID
HKCR\hbr.HbMain\CurVer
HKCR\hbr.HbMain.1
HKCR\hbr.HbMain.1\CLSID
HKCR\CLSID\{BF1BF02C-5A86-4ECF-ADAC-472C54C4D21E}
HKCR\CLSID\{BF1BF02C-5A86-4ECF-ADAC-472C54C4D21E}\Implemented Categories
HKCR\CLSID\{BF1BF02C-5A86-4ECF-ADAC-472C54C4D21E}\Implemented Categories\{74ADCF99-79A1-44E1-B4F7-45611145D2D0}
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}\1.0
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}\1.0\0
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}\1.0\0\win32
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}\1.0\FLAGS
HKCR\TypeLib\{229D2451-A617-4B30-B5E8-8138694240CB}\1.0\HELPDIR
HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771}
HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771}\ProxyStubClsid
HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771}\ProxyStubClsid32
HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771}\TypeLib
HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771}\TypeLib#Version
HKCR\Interface\{2E623B96-B166-4C70-8169-820761794299}
HKCR\Interface\{2E623B96-B166-4C70-8169-820761794299}\ProxyStubClsid
HKCR\Interface\{2E623B96-B166-4C70-8169-820761794299}\ProxyStubClsid32
HKCR\Interface\{2E623B96-B166-4C70-8169-820761794299}\TypeLib
HKCR\Interface\{2E623B96-B166-4C70-8169-820761794299}\TypeLib#Version
HKCR\Interface\{4E8B851B-05B0-4BAF-B24D-D0DFE88DDED3}
HKCR\Interface\{4E8B851B-05B0-4BAF-B24D-D0DFE88DDED3}\ProxyStubClsid
HKCR\Interface\{4E8B851B-05B0-4BAF-B24D-D0DFE88DDED3}\ProxyStubClsid32
HKCR\Interface\{4E8B851B-05B0-4BAF-B24D-D0DFE88DDED3}\TypeLib
HKCR\Interface\{4E8B851B-05B0-4BAF-B24D-D0DFE88DDED3}\TypeLib#Version
HKCR\Interface\{5A4737A8-B92A-4E54-970E-C2891D98CE3F}
HKCR\Interface\{5A4737A8-B92A-4E54-970E-C2891D98CE3F}\ProxyStubClsid
HKCR\Interface\{5A4737A8-B92A-4E54-970E-C2891D98CE3F}\ProxyStubClsid32
HKCR\Interface\{5A4737A8-B92A-4E54-970E-C2891D98CE3F}\TypeLib
HKCR\Interface\{5A4737A8-B92A-4E54-970E-C2891D98CE3F}\TypeLib#Version
HKCR\Interface\{62B0B239-F9AC-4A5B-BFAE-62C7A23F7627}
HKCR\Interface\{62B0B239-F9AC-4A5B-BFAE-62C7A23F7627}\ProxyStubClsid
HKCR\Interface\{62B0B239-F9AC-4A5B-BFAE-62C7A23F7627}\ProxyStubClsid32
HKCR\Interface\{62B0B239-F9AC-4A5B-BFAE-62C7A23F7627}\TypeLib
HKCR\Interface\{62B0B239-F9AC-4A5B-BFAE-62C7A23F7627}\TypeLib#Version
HKCR\Interface\{726F0AB9-B842-4AE4-90C7-230E233E6A99}
HKCR\Interface\{726F0AB9-B842-4AE4-90C7-230E233E6A99}\ProxyStubClsid
HKCR\Interface\{726F0AB9-B842-4AE4-90C7-230E233E6A99}\ProxyStubClsid32
HKCR\Interface\{726F0AB9-B842-4AE4-90C7-230E233E6A99}\TypeLib
HKCR\Interface\{726F0AB9-B842-4AE4-90C7-230E233E6A99}\TypeLib#Version
HKCR\Interface\{ACE99E77-AA2A-43C2-8C9D-CAF2020FDF2B}
HKCR\Interface\{ACE99E77-AA2A-43C2-8C9D-CAF2020FDF2B}\ProxyStubClsid
HKCR\Interface\{ACE99E77-AA2A-43C2-8C9D-CAF2020FDF2B}\ProxyStubClsid32
HKCR\Interface\{ACE99E77-AA2A-43C2-8C9D-CAF2020FDF2B}\TypeLib
HKCR\Interface\{ACE99E77-AA2A-43C2-8C9D-CAF2020FDF2B}\TypeLib#Version
HKCR\Interface\{B9CC2B92-5611-453F-8381-8B6F72D9C0B8}
HKCR\Interface\{B9CC2B92-5611-453F-8381-8B6F72D9C0B8}\ProxyStubClsid
HKCR\Interface\{B9CC2B92-5611-453F-8381-8B6F72D9C0B8}\ProxyStubClsid32
HKCR\Interface\{B9CC2B92-5611-453F-8381-8B6F72D9C0B8}\TypeLib
HKCR\Interface\{B9CC2B92-5611-453F-8381-8B6F72D9C0B8}\TypeLib#Version
HKCR\Interface\{C4543E64-1498-410D-8E72-4744EEA99AB9}
HKCR\Interface\{C4543E64-1498-410D-8E72-4744EEA99AB9}\ProxyStubClsid
HKCR\Interface\{C4543E64-1498-410D-8E72-4744EEA99AB9}\ProxyStubClsid32
HKCR\Interface\{C4543E64-1498-410D-8E72-4744EEA99AB9}\TypeLib
HKCR\Interface\{C4543E64-1498-410D-8E72-4744EEA99AB9}\TypeLib#Version
HKCR\Interface\{E0FB1610-B25B-49F6-BE20-751B2F230E6F}
HKCR\Interface\{E0FB1610-B25B-49F6-BE20-751B2F230E6F}\ProxyStubClsid
HKCR\Interface\{E0FB1610-B25B-49F6-BE20-751B2F230E6F}\ProxyStubClsid32
HKCR\Interface\{E0FB1610-B25B-49F6-BE20-751B2F230E6F}\TypeLib
HKCR\Interface\{E0FB1610-B25B-49F6-BE20-751B2F230E6F}\TypeLib#Version
C:\Documents and Settings\owner 2\Application Data\Zango

Malware.PestCapture
C:\Program Files\PestCapture\PestCapture.lic
C:\Program Files\PestCapture\Uninstall.exe
C:\Program Files\PestCapture

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\OWNER 2\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER 2\LOCAL SETTINGS\TEMP\OSI216.TMP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP842\A1234539.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP842\A1234540.ICO

Adware.MovieLand/MediaPipe
C:\PROGRAM FILES\FSUPPORT\NOTIFIER.EXE

Adware.180solutions/ZangoSearch
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPCLNTAX_ZANGOSA.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP839\A1232517.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP839\A1232521.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP839\A1232522.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP839\A1232523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP854\A1256393.EXE

Adware.WhenU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP842\A1234536.EXE

RelevantKnowledge Spyware Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP842\A1234708.DLL

Adware.WildMedia/Midaddle
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7182866A-7B67-4D45-9C1F-A24DD0248D4C}\RP852\A1244235.EXE

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\EYUFYR.EXE


hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:06, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\owner 2\Desktop\HiJackThis(2)\hello.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{E866FDA1-C08F-4A82-99EC-9089EBEAF197}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{9E665785-D1C1-4F14-994B-88060765C736}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7782 bytes

thank you for taking the time to have at look btw
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Scotty » September 18th, 2007, 2:17 pm

Hello

Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 18th, 2007, 2:34 pm

SmitFraudFix v2.225

Scan done at 19:29:36.25, 18/09/2007
Run from C:\Documents and Settings\owner 2\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32




»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\owner 2\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNER2~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B011EB72-DEA7-40F9-A79D-A6737A1B9767}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B011EB72-DEA7-40F9-A79D-A6737A1B9767}: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B011EB72-DEA7-40F9-A79D-A6737A1B9767}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B011EB72-DEA7-40F9-A79D-A6737A1B9767}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:47, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\owner 2\Desktop\HiJackThis(2)\hello.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{E866FDA1-C08F-4A82-99EC-9089EBEAF197}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\owner 2\Local Settings\Temp\{9E665785-D1C1-4F14-994B-88060765C736}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7782 bytes
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Scotty » September 19th, 2007, 3:39 am

Hello smiggy

Can you describe any problems you are having? If any?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 19th, 2007, 2:08 pm

just very very slow to strt up the computer and if i have more than program running the machine slows to a crawl, other than that most seems fine
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby smiggy » September 19th, 2007, 3:42 pm

i could find an edit button so ill post again-

i think my computer maybe be slow because my RAM is 256mb, when my computer was bought i was young and had no real interest in it so it meant nothing to me then but it hink this maybe causing the slowness. thoughts? if it is is there somewhere you can recommend where i can get an upgrade?

cheers
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Scotty » September 20th, 2007, 4:16 am

Morning smiggy

Low ram is your problem. To run XP these days 512mb is really a must but 1gb much better. I dont know if you are comfortable adding ram yourself. If you are you should first run this scan from Crucial to determine the kind of memory you need.
http://www.crucial.com/systemscanner/

I buy my pc parts from here.
http://www.ebuyer.com/customer/home/index.html?rb=0&stid=1&

Alternatively, you may prefer to take it to a technician.

Also, in the recommended programs further down, I would suggest you install Winpatrol, which has numerous other features including a Startup Programs manager, allowing you to disable unnecessary programs that start with Windows.

Delete the Smitfraudfix folder from your Desktop.

I would advise updating Adobe Reader, as the latest version clears up any vulnerabilities of previous versions.
First uninstall the version you have on your computer then download and install Adobe Reader 8.1.

This is my usual speech for when you are clean, which you appear to be.

Please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore.

It's also a good idea to Flush your System Restore points after ridding yourself of malware:

  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.


This will remove all previous restore points except the newly created one.

Here are some free programs, I recommend.

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby smiggy » September 20th, 2007, 5:10 pm

thanks alot, you've helped loads!
smiggy
Active Member
 
Posts: 8
Joined: September 12th, 2007, 2:55 pm

Unread postby Rogue » September 22nd, 2007, 3:41 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware