Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log - Please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log - Please help

Unread postby 1zingo » October 6th, 2007, 2:20 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:18:14 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\FreePicGrabber\ThumbGrab.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreePicGrabber\ParseProcess.exe
C:\Program Files\FreePicGrabber\ParseProcess.exe
C:\Program Files\FreePicGrabber\ParseProcess.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredi ... =ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Free Download Manager\iefdmcks.dll
O2 - BHO: FreePicGrabber Helper - {DF390801-491F-4659-8E7F-FCCC639A37BD} - C:\Program Files\FreePicGrabber\TheBar.dll
O3 - Toolbar: FreePicGrabber - {EBC780C8-5A2F-4BF2-B274-FDA3D61ACC6C} - C:\Program Files\FreePicGrabber\TheBar.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FreePicGrabber] C:\Program Files\FreePicGrabber\ThumbGrab.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Agent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: &Free Pic GRAB - res://C:\Program Files\FreePicGrabber\Options.exe/132
O8 - Extra context menu item: &Quick GRAB Pics - res://C:\Program Files\FreePicGrabber\Options.exe/133
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download all with GPL - C:\GetPicturesList\GPL_all.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GPL - C:\GetPicturesList\GPL_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enqueue current page with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidlinkqueue.htm
O8 - Extra context menu item: GPL: Thumbnails to Pictures - C:\GetPicturesList\GPL_pics.htm
O8 - Extra context menu item: Open current page with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebid.htm
O8 - Extra context menu item: Open link target with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidlink.htm
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - http://www.verizon.net (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54D68BC6-5320-4025-AD36-54428E8F5B32}: NameServer = 85.255.114.44,85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\..\{60600F19-5F2D-40F9-A6BA-5935C1167BC7}: NameServer = 85.255.114.44,85.255.112.237
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.237
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » October 7th, 2007, 2:59 am

Hi 1zingo. :)

Welcome to Malware Removal. My name is mayi and I will be helping you. As I am still an undergraduate, I will need my fixes checked before posting back to you. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby ndmmxiaomayi » October 7th, 2007, 5:12 am

Hi 1zingo, I see that Bittorent is installed on your computer. While Bittorent is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it while cleaning your computer to prevent getting more infections.

A list of clean and infected P2P programs can be found at Malware Removal and Spyware Info.

The risks of using a P2P program are stated in this Sourceforge website and Information Week article.

Please also read Malware Removal's Guide on P2P Programs.

Also, while having Windows Defender to protect your system is good, it can intefere with the fixes. I would need you to disable Windows Defender temporarily while fixing your computer. You can re-enable Windows Defender again once your computer is clean. Here is how to disable it:

Step 1

  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.

Step 2

Please print out or save this set of instructions as you will be rebooting the PC.

  1. Please download Fixwareout from Bleeping Computer and save it to your desktop.
  2. Double click to run it.
  3. Click Next, followed by Install.
  4. Once installation is done, checked (ticked) Run fixit box.
  5. Click Finish.
  6. The fix will start, follow the prompts. You will be asked to reboot the PC, please do so. Your system will take longer to start, this is normal.
  7. Once your PC rebooted, go to Start > Control Panel. Double click on Network Connections.
  8. Right click on your default connection and select Properties.
  9. Select the General tab.
  10. Double click on Internet Protocol (TCP/IP) under This connection uses the following items:
  11. Select [b]Obtain an IP address automatically and Obtain DNS server address automatically.
  12. Click OK twice to save the settings. Reboot when prompted to.
  13. Go to Start > Run and type in cmd.
  14. Type in the following in the code box line by line, pressing Enter after each line:
    Code: Select all
    ipconfig /renew
    ipconfig /flushdns
    exit

Step 3

Please download Combofix from Tech Support Forum or Bleeping Computer. Save it to your desktop.

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 4

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

In your next reply, please post:

  1. Fixwareout report (C:\Fixwareout\report.txt)
  2. Combofix report (C:\Combofix.txt)
  3. A new HijackThis log
  4. The Uninstall list
Note: You will need multiple posts to prevent the logs from being cut off.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

NDM - 1 0f 3 - Here's my Combofix Log - Thanks for your help

Unread postby 1zingo » October 7th, 2007, 2:47 pm

ComboFix 07-10-07.2 - Tom 2007-10-07 14:34:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -4:00]
Running from: C:\My Download Folder\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 14:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 19:37 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-06 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-06 13:55 <DIR> d-------- C:\HijackThis
2007-09-28 14:40 <DIR> d-------- C:\Real Alternative
2007-09-28 14:40 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Real
2007-09-28 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Real
2007-09-28 13:49 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Media Player Classic
2007-09-28 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-15 16:13 <DIR> d-------- C:\Bulk Image Downloader
2007-09-15 15:41 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\BID

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 14:35 --------- d-------- C:\Documents and Settings\Tom\Application Data\Free Download Manager
2007-10-06 19:35 --------- d-------- C:\Program Files\FreePicGrabber
2007-10-06 19:04 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]
C:\WINDOWS\system32\winbrume.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-08-14 17:48 C:\WINDOWS\system32\pctspk.exe]
"S3TRAY2"="S3tray2.exe" [2001-10-12 12:32 C:\WINDOWS\system32\S3tray2.exe]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-01-17 16:14]
"vdrdpup"="C:\WINDOWS\system32\C:\WINDOWS\system32\vdrdpup.dll" []
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 13:55]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\QuickTime\QTTask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Free Download Manager"="C:\Free Download Manager\fdm.exe" [2006-08-21 01:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"BitTorrent"="C:\Agent\bittorrent.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS
S1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 23:04:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-07 18:32:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 14:36:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-07 14:38:09
.
--- E O F ---
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

NDM - 2 0f 3 - Log from The Fix

Unread postby 1zingo » October 7th, 2007, 2:50 pm

Username "Tom" - 10/07/2007 14:15:35 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdphe.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.44 85.255.112.237" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{54D68BC6-5320-4025-AD36-54428E8F5B32}
"nameserver"="85.255.114.44,85.255.112.237" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{60600F19-5F2D-40F9-A6BA-5935C1167BC7}
"nameserver"="85.255.114.44,85.255.112.237" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{19EB0C85-95D9-48A4-91CA-C33198CA4766}
"DhcpNameServer"="85.255.114.44,85.255.112.237" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{60600F19-5F2D-40F9-A6BA-5935C1167BC7}
"DhcpNameServer"="85.255.114.44,85.255.112.237" <Value cleared.

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdphe.ren 71173 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe"
"S3TRAY2"="S3tray2.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"vdrdpup"="C:\\WINDOWS\\system32\\rundll32 C:\\WINDOWS\\system32\\vdrdpup.dll,RegisterVirtualChannel"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\QuickTime\\QTTask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Free Download Manager"="C:\\Free Download Manager\\fdm.exe -autorun"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Agent\\bittorrent.exe\" --force_start_minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

NDM - 3 of 3 - Hijack This-Uninstall Log

Unread postby 1zingo » October 7th, 2007, 2:54 pm

Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Apple Software Update
Bulk Image Downloader v1.23
Citrix Web Client
DivX
DivX Converter
DivX Player
DivX Web Player
Easy CD Creator 5 DVD Edition
EOL Universal Printer Client
Forté Agent
Free Download Manager 2.1
GetPicturesList
getPlus(R)_ocx
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet 3840
HP Software Update
HSP56 MicroModem Drivers
Indeo® software
IrfanView (remove only)
IsoBuster 1.5
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
PrintFolder 1.2
QuickPar 0.9
QuickTime
QuickTime Alternative 1.66
Real Alternative 1.60
Roxio UDF Reader
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Verizon Online
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
yEnc32 (remove only)


Currently, my problem is limited to having my searches on IE 6 hijacked.
I ran Ewido and deleted about 8 trojans and a bunch of tracking cookies, but the problem persists. again, thanks for looking into this.
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

Unread postby ndmmxiaomayi » October 8th, 2007, 3:00 am

Hi 1zingo,

Please copy and paste the following in the Code box into Notepad:

Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]

[-HKEY_CLASSES_ROOT\CLSID\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]


Click on File > Save As...

In the File Name box, copy and paste in fix.reg

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on fix.reg to run it. You will be prompted. Click Yes.
____________________

  1. Please download AVG Anti-Spyware and save it to your desktop.
  2. Double click on avgas-setup-7.5.0.50.exe to install AVG Anti-Spyware. Install it in the default location.
  3. Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  4. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  5. Now click on the Scanner button at the top.
  6. Select the Settings tab.
  7. Under How to act?, click on Recommended actions and select Quarantine.
  8. Under How to scan?, check (tick) all the boxes.
  9. Under Possibly unwanted software:, check (tick) all the boxes.
  10. Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
  11. Under What to scan?, select Scan every file.
Do not run a scan yet. You will run a scan later.
____________________

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
____________________

Please print out or save this set of instructions as you will not have internet access during the fix.

Reboot into Safe Mode by following the instructions below:

  1. When you see BIOS screen, start pressing F8.
  2. A boot menu will appear shortly.
  3. Using the up down arrows, select Safe Mode and press the Enter key.
  4. Windows will now load.
  5. Log in to your usual account.
____________________

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Restart your computer in Normal Mode.
____________________

Please go to Kaspersky website and perform an online antivirus scan.
Please use Internet Explorer as it uses ActiveX.

  1. Click on Kaspersky Online Scanner button.
  2. Read through the requirements and privacy statement and click on Accept button.
  3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
  4. When the downloads have finished, click on Next button.
  5. Click on Scan Settings button.
  6. Select extended under Scan using the following antivirus database:
  7. Check (tick) these boxes under Scan options:
    • Scan Archives
    • Scan Mail Bases
  8. Click OK
  9. Click on My Computer under Please select a target to scan:
  10. Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
  11. Copy and paste this log in your next reply.

Currently, my problem is limited to having my searches on IE 6 hijacked.


After running the scans, could you please try to do some Google searches again?

Are the searches still being hijacked?

In your next reply, please post:

  1. A new HijackThis log
  2. AVG Antispyware scan report
  3. Kaspersky Antivirus scan report
  4. Are Google searches still being hijacked
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Kaspersky Scan Report Reply Message 1 of 3

Unread postby 1zingo » October 14th, 2007, 6:03 pm

KASPERSKY ONLINE SCANNER REPORT
Monday, October 08, 2007 1:48:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/10/2007
Kaspersky Anti-Virus database records: 429248


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 87878
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:52:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12092006-132156.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Tom\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Temp\Free Download Manager\tic10.tmp Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Temp\Free Download Manager\tic11.tmp Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Temp\sqlite_FPZX1ZA8hLbZZr3 Object is locked skipped

C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Tom\ntuser.dat Object is locked skipped

C:\Documents and Settings\Tom\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\Program Files\McAfee.com\Personal Firewall\data\hwcache.xdb Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{BB3B3BA8-71B7-423C-A244-F796611FA611}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{C3DA1BE1-A034-45D8-9917-F9A120938BCA}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

Hijack This Log - Post 2 of 3

Unread postby 1zingo » October 14th, 2007, 6:06 pm

ogfile of HijackThis v1.99.1
Scan saved at 6:03:49 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Agent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download all with GPL - C:\GetPicturesList\GPL_all.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GPL - C:\GetPicturesList\GPL_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enqueue current page with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidlinkqueue.htm
O8 - Extra context menu item: GPL: Thumbnails to Pictures - C:\GetPicturesList\GPL_pics.htm
O8 - Extra context menu item: Open current page with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebid.htm
O8 - Extra context menu item: Open link target with Bulk Image Downloader - file://C:\Bulk Image Downloader\iemenu\nocookie\iebidlink.htm
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - http://www.verizon.net (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

AVG Scan Report Post 3 of 3

Unread postby 1zingo » October 14th, 2007, 6:17 pm

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:46:03 PM 10/14/2007

+ Scan result:



C:\Documents and Settings\Tom\Cookies\tom@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.


::Report end


This is the third of three messages I have posted today. After following your instructions, I took some time to make certain that my pc was working properly. Currently, everything seems to be in order. The biggest change is that the pc is processing much faster. Previously, I had to reboot in order to get my McAfee antivirus to start properly. I was also having difficulty in accessing some websites. Currently, my searches on Google are no longer being hijacked. Thanks very much for your assistance.

Do you believe that either Kaspersky or AVG is a better spyware than Windows Defender? I really need to make certain that this doesn't happen again. The last time, I managed to pick up 8 trojan files without either McAfee or Defender alerting me.
1zingo
Active Member
 
Posts: 7
Joined: October 6th, 2007, 2:07 pm

Unread postby ndmmxiaomayi » October 15th, 2007, 2:37 am

Hi 1zingo,

Do you believe that either Kaspersky or AVG is a better spyware than Windows Defender?


Kaspersky is a company that provides antivirus solutions, so technically speaking, it won't be an antispyware solution.

However, Kaspersky has one of the best detection rates. You can view the results on this page: http://www.av-comparatives.org/seiten/home.html

As for whether AVG Antispyware is a better antispyware solution, it's subjective. Having more than 1 antispyware programs is better than having one as the latter will be able to detect problems that the former missed out.

The last time, I managed to pick up 8 trojan files without either McAfee or Defender alerting me.


Is your McAfee and Windows Defender up to date? If they are not, a lot of threats can be missed.

For Windows Defender, you can update it via Windows Update (http://update.microsoft.com/). There are updates regularly. Do check Castlecops regularly for the updates.

All 3 logs you've posted are clean, except for a couple for cookies.

Please delete these files and folders as they are no longer needed.

C:\Combofix.txt
C:\My Download Folder\ComboFix.exe
C:\Fixwareout
C:\Qoobox
fix.reg

Re-enable Windows Defender

  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, check (tick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, check (tick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click OK.
  5. Restart your computer.
After restarting your computer, follow these steps:

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Uncheck (untick) Turn off system restore on all drives box.
  4. Click OK.
  5. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Here's some tips on preventing it from happening again.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Make your Internet Explorer safer

For Internet Explorer 6

  1. Open Internet Explorer. Click on Tools > Options.
  2. Click on the Security tab.
  3. Click on the Internet icon.
  4. Click on the Custom Level button.
  5. Under Download signed ActiveX controls, select Prompt.
  6. Under Download unsigned ActiveX controls, select Disable.
  7. Under Initialize and script ActiveX controls not marked as safe, select Disable.
  8. Under Installation of desktop items, select Prompt.
  9. Under Launching programs and files in an IFRAME, select Prompt.
  10. Under Navigate sub-frames across different domains, select Prompt.
  11. Under Allow paste operations via script, select Disable.
  12. Click OK to apply these settings.
  13. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  14. Press OK to exit the Internet Properties page.
For a pictorial guide, please refer to this article.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
  2. SpywareGuard
    Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

    You can download SpywareGuard from Javacool.

    If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
  3. IE-SPYAD
    IE-SPYAD adds over 5000 sites to your Internet Explorer restricted zone so that you will be protected if the website turns out to be a bad one. Sites that are in the restricted zone of Internet Explorer can't have any scripts ran, no downloads and cookies. However, you can still connect to these sites.

    You can download IE-SPYAD from Spyware Warrior. Be sure to read the whole website carefully for instructions on usage of IE-SPYAD.
  4. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.
  5. Lavasoft Ad-Aware
    Ad-Aware is an anti-spyware program. Like your antivirus program, please run an Ad-Aware scan at least once per week.

    Ad-Aware can be downloaded from here.

    If you need help in using Ad-Aware, you can read Ad-Aware's tutorial at Bleeping Computer.
  6. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.
  7. a-squared Free
    a-squared Free is also another program for scanning spywares and adwares. It doesn't have preventive features like Spybot Search & Destroy though.

    You can download a-squared Free from here.
  8. CounterSpy
    CounterSpy is pretty much like Spybot Search & Destroy, but it isn't free. You can try CounterSpy for 15 days.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs. This will save you from a lot of trouble. If in doubt, don't ever download it.
  9. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
  10. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.


Use an alternative Internet Browser

Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead.

Firefox
Opera
K-Meleon

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird or Pegasus Mail instead.

Here are some more things to read about:

List of clean and infected download managers
Configuring Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
The Unofficial Cookie FAQ
Securing your home wireless network
80 Super Security Tips
The different classes of security softwares



Since this issue appears resolved ... this topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

Rogue
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware