Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Laptop infected with W32.Yalove.D

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Laptop infected with W32.Yalove.D

Unread postby sgpatel » October 1st, 2007, 7:23 pm

Hi,
i clicked on a link against a friends name in yahoo messenger and i think my laptop got infected with W32.Yalove.D. my symantec anti virus has auto protect on and it said that the virus was quarantine. However when i rebooted my computer it started the auto protect again and detected again. Also my Internet Explorer home page has changed to eyejuice.net and the button to change my home page is disabled. I also noticed that the Task Manager button is also greyed out(disabled) when i hit ctrl alt delete.
Can u help me remove this virus.
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm
Advertisement
Register to Remove

Unread postby km2357 » October 2nd, 2007, 2:21 pm

Hello and welcome to The Malware Removal Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!


Step # 1: Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Step # 3 Post Logs

In your next post/reply, I'd like to see the following:

    1. HiJackThis Log
    2. Uninstall List


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Hijackthis and unintall logs

Unread postby sgpatel » October 2nd, 2007, 3:21 pm

thanks for the prompt reply. Please find the HijackThis and uninstall logs as you had instructed:
HijackThis log:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eyejuice.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.telecom.ptt.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [SysReport_Schd] c:\windows\orclobi\ebi\SysReport_Schd.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://la0091.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {3DC04435-457B-4500-9580-41623BA1A51C} (Siebel Gantt Chart) - http://sdchs20n513.corp.siebel.com/ecom ... _Chart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9271144874
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://wa4053.oracleads.com/jump/msrdp.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {ACE5BEC8-7177-41DB-8182-798547D9736F} (Siebel Callcenter Communications Toolbar) - http://sdchs20n513.corp.siebel.com/ecom ... oolbar.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDA83E4-5139-4BA4-AA86-E0617806454D}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA364B36-5817-4D4C-BB27-99D621B39260}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com,oraclecorp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com,oraclecorp.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10349 bytes

Uninstall Log:
Ableton Live v6.0.7
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS2
Adobe Reader 7.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ASAPI Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
BBE Sonic Maximizer 2.0 Full
Cisco Systems VPN Client 4.8.00.0440
Cisco VPN Client 4.8
C-Major Audio
Conexant D480 MDC V.9x Modem
DivX Codec
eFax Messenger 4.3
EMS Synth A VS VSTi v0.32
ffdshow
GTK+ Runtime 2.10.13 rev a (remove only)
Har-Bal v2.0
HijackThis 2.0.2
HyperSnap-DX 4.01.09
InspectorXL
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_05
LinPlug FreeAlpha
LiveReg (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Microsoft Office Visio Professional 2003
mIWA
mIWCA
mLogView
mMHouse
Mozilla Firefox (1.0)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
mToolkit
mWlsSafe
mXML
mZConfig
Native Instruments Battery 3
Native Instruments Massive
Nero 6 Ultra Edition
Netflix Movie Viewer
Netscape 7.1
Novation Bass-Station for Cubase SX3 VSTi v1.41
Novation V-Station for Cubase SX3 VSTi v1.41
O2Micro Smartcard Driver
Oracle 9iFS FileSync
Oracle Calendar
Oracle Instant Chat 3.2.1.2
Oracle JInitiator 1.3.1.21
Oracle Product Workbench
Oracle RTC Messenger
Oracle Web Conferencing Console
Picasa 2
Pidgin
Pricing Center 7.3
PrimoPDF
PrimoPDF Redistribution Package
PuTTY .56 with WinSCP3
Qarbon Viewlet Builder 4.0.4
QuickTime
RealOnePlayer
Reason 3.0.4
rgc:audio z3ta+ 1.5
Rhino 2.04
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Steinberg WaveLab 5.01b
Symantec AntiVirus
Symantec Antivirus 10.1.5
Symantec pcAnywhere
Symantec Protection Agent 5.1
Trilogy
TurboTax ItsDeductible 2006
TurboTax Premier Investments 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6c
Waves Diamond Bundle v5.2
WebEx
WexTech AnswerWorks
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip 9
x264 Revision 564 x264.nl (remove only)
Yahoo! Messenger
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby km2357 » October 2nd, 2007, 7:40 pm

Hello.

I need to see the complete HJT log. The top part got cut off.

I need to see the Running Process section and the header (the section above Running Processes:)

Thanks. :)
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Oops-sorry i have posted the running processes section of th

Unread postby sgpatel » October 3rd, 2007, 1:12 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:18 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system\svchost.exe
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Oracle Instant Chat\OIChat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby km2357 » October 4th, 2007, 2:53 pm

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Step # 1: Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)


Step # 2: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Step # 3: Run SDFix

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

    1. SDFix Report (C:\SDFix\Report.txt)
    2. A fresh HijackThis log


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Unread postby km2357 » October 8th, 2007, 3:23 pm

Sgpatel?

Do you still need help? If any of my instructions are unclear, please let me know.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Fresh Hijack This log and sdfix report

Unread postby sgpatel » October 10th, 2007, 2:38 pm

Sorry was on vacation past few days so could not post. Yes i still need help.I have followed your instructions and ran SDFX ,here are the fresh hijack this log and sdfix report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:09 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.telecom.ptt.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [SysReport_Schd] c:\windows\orclobi\ebi\SysReport_Schd.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://la0091.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {3DC04435-457B-4500-9580-41623BA1A51C} (Siebel Gantt Chart) - http://sdchs20n513.corp.siebel.com/ecom ... _Chart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9271144874
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://wa4053.oracleads.com/jump/msrdp.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {ACE5BEC8-7177-41DB-8182-798547D9736F} (Siebel Callcenter Communications Toolbar) - http://sdchs20n513.corp.siebel.com/ecom ... oolbar.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDA83E4-5139-4BA4-AA86-E0617806454D}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA364B36-5817-4D4C-BB27-99D621B39260}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com,oracle.com,oraclecorp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com,oracle.com,oraclecorp.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9988 bytes


Report.txt
--------------------------------------------------------------------------------------
SDFix: Version 1.108

Run by sgpatel on Wed 10/10/2007 at 11:23 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\defrag.exe.tmp - Deleted
C:\DOCUME~1\sgpatel\LOCALS~1\Temp\IEXPLORE.exe - Deleted
C:\WINDOWS\system\svchost.exe - Deleted
C:\WINDOWS\system\svchost32.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Disabled:pcAnywhere Host Service"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"D:\\Personal\\Music\\Books\\mixonline200707\\mixonline200707-win32\\mixonline200707-win32\\mixonline200707-win32.exe"="D:\\Personal\\Music\\Books\\mixonline200707\\mixonline200707-win32\\mixonline200707-win32\\mixonline200707-win32.exe:*:Enabled:Mix Online - July 2007"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe"="D:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"D:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe"="D:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 5 Aug 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\sgpatel\Application Data\U3\temp\Launchpad Removal.exe"
Thu 10 May 2007 2,585,864 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT112.tmp"

Finished!
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby km2357 » October 11th, 2007, 3:31 am

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.


Step # 1 Run AVG Anti-Spyware


  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
Do not run a scan yet.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.



Step # 4: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust these sites to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please fix the following O15 entries:

    O15 - Trusted Zone: http://*.turbotax.com
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 5 Run AVG Anti-Spyware

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot your computer.
  • Now copy the report back to this topic.


Step # 6 Post Logs

In your next post/reply, I'd like to see the following:

    1. AVG AntiSpyware Report
    2. A fresh HijackThis log


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

latest hijack this and avg logs

Unread postby sgpatel » October 11th, 2007, 8:49 pm

Fresh Hijack this and AVG logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:12 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe

D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.telecom.ptt.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\SGPATEL\Application Data\Mozilla\Profiles\default\bwso0aey.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [SysReport_Schd] c:\windows\orclobi\ebi\SysReport_Schd.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://la0091.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {3DC04435-457B-4500-9580-41623BA1A51C} (Siebel Gantt Chart) - http://sdchs20n513.corp.siebel.com/ecom ... _Chart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9271144874
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://wa4053.oracleads.com/jump/msrdp.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {ACE5BEC8-7177-41DB-8182-798547D9736F} (Siebel Callcenter Communications Toolbar) - http://sdchs20n513.corp.siebel.com/ecom ... oolbar.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDA83E4-5139-4BA4-AA86-E0617806454D}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA364B36-5817-4D4C-BB27-99D621B39260}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9944 bytes

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:27:01 PM 10/11/2007

+ Scan result:



:mozilla.12:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\t93i56aa.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.35:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\t93i56aa.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.36:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\t93i56aa.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned.


::Report end
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby km2357 » October 12th, 2007, 4:22 am

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available.

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts


Step # 2 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:
  • Java 2 Runtime Environment, SE v1.4.2_05

    J2SE Runtime Environment 5.0 Update 10

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 3: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt


Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

    1. Kaspersky Report (KAV.txt)
    2. A fresh HijackThis Log
    3. How is your computer running?/Any problems?


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Unread postby askey127 » October 23rd, 2007, 7:03 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware