Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log - Any help appreciated!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log - Any help appreciated!

Unread postby Ellymoo » August 30th, 2005, 4:05 pm

Hi

My log is here (I have followed all the instructions on your sticky)

Have spent 3 hours sorting this computer so any help greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 21:03:15, on 30/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\spare1234\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.wanadoo.co.uk/time/anytimer ... 0101_5.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3038977138
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37240.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EB9C85-3992-4AEA-B352-6B0C98464DD3}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
Ellymoo
Active Member
 
Posts: 13
Joined: August 30th, 2005, 3:25 pm
Advertisement
Register to Remove

Unread postby Noviciate » August 30th, 2005, 6:09 pm

I am in the process of reviewing your log - I will post a reply as soon as I am able.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby Noviciate » August 30th, 2005, 6:21 pm

IMPORTANT
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have one installed, there are a couple of free firewalls available.
Zone Alarm: Available here.
Sygate: Available here.

It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

--------------------------------------------------------------------------------------------------------

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or 'Copy and Paste' them into Notepad.

Preparation

1) You will need to set Windows to show All Hidden Files and Folders
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

2) You will also need to know how to boot into Safe Mode.
Instructions can be found here.

3) You will find a tutorial and download link for CleanUp! here.
Please download and install the program and configure it as per the tutorial.
Do not run it yet.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) End Running Processes through Task Manager.
To do this:
Press and hold CTRL and Alt and tap Delete. This will open Task Manager.
If it is not selected, click on the 'Processes' Tab.
Scroll down and locate any/all of the following (if you cannot find one or more, don't worry):

rlvknlg.exe

Click on each one you can find to highlight it, and then click on 'End Process'


2) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.wanadoo.co.uk/time/anytimer ... 0101_5.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

3) Boot into Safe Mode.

4) Remove any/all of the following files/folders that you can find:

Files

C:\windows\system32\rlvknlg.exe

If you cannot find one, or more, do not worry.

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


5) Run CleanUp!
If you are asked 'Do you wish to logoff now?', click on No.

6) Boot into Normal Mode.

7) Run the following online scan and allow it to fix anything that it finds: Trend Micro Housecall.

Will you copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby Ellymoo » August 31st, 2005, 3:05 pm

Thanks very much for your reply!

The PC is working pretty much fine now. I did all that you said and the result of the housecall is below. There were no trojans or spyware or viruses. There are about 65 vulnerabilities in Microsoft:

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 65 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Critical This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by a buffer overflow in the Windows Shell function in Microsoft Windows XP. MS02-072
Highly Critical This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-001
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. MS03-023
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a malformed message. This is caused by a buffer overflow in certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003. MS03-026
Critical This vulnerability enables a remote attacker to execute arbitrary code through a specially crafted MIDI file. This is caused by multiple buffer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL). MS03-030
Critical This vulnerability could allow a remote attacker to execute arbitrary code via a malformed RPC request with a long filename parameter. This is caused by a heap-based buffer overflow found in the Distributed Component Object Model (DCOM) interface in the RPCSS Service.;This vulnerability could allow a remote attacker to cause a denial of service attack, which could allow local attackers to gain privileges via certain messages sent to the __RemoteGetClassObject interface.;This vulnerability could allow a remote attacker to execute arbitrary code via a malformed activation request packet with modified length fields. This is caused by a heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service.;This vulnerability could allow a remote attacker to cause a denial of service attack. This is caused by two threads processing the same RPC request, which will lead to its using memory after it has been freed.;This vulnerability could allow a remote attacker to cause a denial of service attack via a queue registration request. This is caused by a buffer overflow in the Microsoft Message Queue Manager. MS03-039
Highly Critical These vulnerabilities, which are due to Internet Explorer not properly determining an object type returned from a Web server in a popup window or during XML data binding, respectively, could allow an attacker to run arbitrary code on a user's system. MS03-040
Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041
Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043
Important This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in User32.dll. Any program that implements the ListBox control or the ComboBox control could allow arbitrary code to be executed at the same privilege level. This vulnerability cannot be exploited remotely. MS03-045
Critical This vulnerability could allow an attacker to access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system, wherein this is executed under the security context of the currently logged on user.;This vulnerability could allow an attacker to save a file on the users system. This is due to dynamic HTML events related to the drag-and-drop of Internet Explorer.;This vulnerability, which is due to the incorrect parsing of URLs which contain special characters, could allow an attacker to trick a user by presenting one URL in the address bar, wherein it actually contains the content of another web site of the attackers choice. MS04-004
Highly Critical The LSASS vulnerability is a buffer overrun vulnerability allows remote code execution.;The LDAP vulnerability is a denial of service (DoS) vulnerability that causes the service in a Windows 2000 domain controller responsible for authenticating users in an Active Directory domain to stop responding.;The PCT vulnerability is a buffer overrun vulnerability in the Private Communications Transport (PCT) protocol, a part of the SSL library, that allows remote code execution.;The Winlogon vulnerability is a buffer overrun vulnerability in the Windows logon process (winlogon) that allows remote code execution.;The Metafile vulnerability is a buffer overrun vulnerability that exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.;The Help and Support Center vulnerability allows remote code execution and is due to the way Help and Support Center handles HCP URL validation.;The Utility Manager vulnerability is a privilege elevation vulnerability that exists due to the way that Utility Manager launches applications.;The Windows Management vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to take complete control of a system by executing commands at the system privilege level.;The Local Descriptor Table vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to take complete control of a system by executing commands at with system privileges.;The H.323 vulnerability is a buffer overrun vulnerability that when successfully exploited can allows attackers to gain full control of a system by arbitrarily executing commands with system privileges.;Virtual DOS Machine vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to gain full control of a system by executing commands with system privileges.;The Negotiate SSP vulnerability is a buffer overrun vulnerability that exists in Microsoft's Negotiate Security Service Provider (SSP) interface and allows remote code execution.;The SSL vulnerability exists due to the way SSL packets are handled and can causes the affected systems to stop responding to SSL connection requests.;The ASN.1 'Double-Free' vulnerability exists in Microsoft's Abstract Syntax Notation One (ASN.1) Library and allows remote code execution at the system privilege level. MS04-011
Critical The RPC Runtime Library vulnerability is a remote code execution vulnerability that results from a race condition when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploits this vulnerability could take complete control of an affected system.;The RPCSS Service denial of service (DoS) vulnerability allows a malicious user or malware to send specially-crafted messages to a vulnerable system, which causes the RPCSS Service to stop responding.;The RPC Over HTTP vulnerability may be used to launch a denial of service (DoS) attack against a system with CIS or RPC over HTTP Proxy enabled.;When successfully exploited, the Object Identity vulnerability allows an attacker to force currently running applications to open network communication ports, thereby opening a system to remote attacks. MS04-012
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Critical This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges. MS04-015
Moderate This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application. MS04-016
Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018
Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022
Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023
Critical The Navigation Method Cross-Domain Vulnerability is a remote execution vulnerability that exists in Internet Explorer because of the way that it handles navigation methods. An attacker could exploit this vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits a malicious Web site.;The Malformed BMP File Buffer Overrun Vulnerability exists in the processing of BMP image file formats that could allow remote code execution on an affected system.;The Malformed GIF File Double Free Vulnerability is a buffer overrun vulnerability that exists in the processing of GIF image file formats that could allow remote code execution on an affected system. MS04-025
Important This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.;The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter. MS04-027
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028
Important An unchecked buffer exists in the NetDDE services that could allow remote code execution. An attacker who is able to successfully exploit this vulnerability is capable of gaining complete control over an affected system. However, the NetDDe services are not automatically executed, and so would then have to be manually started for an attacker to exploit this vulnerability. This vulnerability also allows attackers to perform a local elevation of privilege, or a remote denial of service (DoS) attack. MS04-031
Critical This cumulative release from Microsoft covers four newly discovered vulnerabilities: Windows Management Vulnerability, Virtual DOS Machine Vulnerability, Graphics Rendering Engine Vulnerability, and Windows Kernel Vulnerability. MS04-032
Critical This remote code execution vulnerability exists in Microsoft Excel. It allows an attacker to take complete control of an affected system if a user us logged on with administrative privileges. An attacker who successfully exploits this vulnerability can install programs; view, change, or delete data; or create new accounts with full privileges. MS04-033
Critical This is another privately reported vulnerability about Windows Compressed Folders. There is vulnerability on the way that Windows processes Compressed (Zipped) Folders that could lead to remote code execution. Windows can not properly handle the extraction of the ZIP folder with a very long file name. Opening a specially crafted compressed file, a stack-based overflow occurs, enabling the remote user to execute arbitrary code. MS04-034
Critical This security bulletin focuses on the following vulnerabilities: Shell Vulnerability (CAN-2004-0214), and Program Group Converter Vulnerability (CAN-2004-0572). Shell vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer. Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems. The vulnerability lies in an unchecked buffer within the Group Converter Utility. MS04-037
Critical This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system. An attacker could exploit this vulnerability by constructing a malicious Web Page. The said routine could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability. MS04-038
Critical This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution. A Web page can be crafted to exploit this vulnerability such that an arbitrary application can be executed on visiting systems with the same priviledge as the currently logged on user. MS04-040
Important This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Word 6.0 to WordPad file format. Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. MS04-041
Critical A remote code execution vulnerability exists in HyperTerminal because of a buffer overrun. If a user is logged on with administrator privileges, an attacker could exploit the vulnerability by constructing a malicious HyperTerminal session file that could potentially allow remote code execution and then persuade a user to open this file. This malicious file may enable the attacker to gain complete control of the affected system. This vulnerability could also be exploited through a malicious Telnet URL if HyperTerminal had been set as the default Telnet client. MS04-043
Important This security update addresses and resolves two windows vulnerabilites, both of which may enable the current user to take control of the affected system. Both of these vulnerabilites require that the curernt user be able to log on locally and execute programs. They cannot be exploited remotely, or by anonymous users. A privilege elevation vulnerability exists in the way that the Windows Kernel launches applications. This vulnerability could allow the current user to take complete control of the system. A privilege elevation vulnerability exists in the way that the LSASS validates identity tokens. This vulnerability could allow the current user to take complete control of the affected system. MS04-044
Critical This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. MS05-001
Critical This update resolves several newly-discovered, privately reported and public vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, install programs, view, change, or delete data, or create new accounts that have full privileges. MS05-002
Important This update resolves a newly-discovered, privately reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. MS05-003
Critical This remote code execution vulnerability exists in Microsoft Office XP software. An attacker could exploit the vulnerability by enticing users to open a malicious file hosted in Internet Explorer. An attacker could also construct an email message that contains a link to the said file.;An attacker who successfully exploits this vulnerability could take complete control of an affected system. MS05-005
Important This is an information disclosure vulnerability. An attacker who successfully exploits this vulnerability could remotely read the user names for users who have an open connection to an available shared resource. MS05-007
Important This remote code execution vulnerability exists in the way Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the users system if a user visited a malicious Web site or viewed a malicious e-mail message. MS05-008
Critical This remote code execution vulnerability exists in Server Message Block (SMB). It allows an attacker who successfully exploits this vulnerability to take complete control of the affected system. MS05-011
Critical This privilege elevation vulnerability exists in the way that the affected operating systems and programs access memory when they process COM structured storage files. This vulnerability could grant a currently logged-on user to take complete control of the system.;This remote code execution vulnerability exists in OLE because of the way that it handles input validation. An attacker could exploit the vulnerability by constructing a malicious document that could potentially allow remote code execution. MS05-012
Critical This vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. MS05-013
Critical This update resolves known vulnerabilities affecting Internet Explorer. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-014
Critical A remote code execution vulnerability exists in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks. An attacker could exploit the vulnerability by constructing a malicious hyperlink which could potentially lead to remote code execution if a user clicks a malicious link within a Web site or e-mail message. MS05-015
Important A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability. MS05-016
Important A remote code execution vulnerability exists in Message Queuing that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. MS05-017
Important This security bulletin resolves newly-discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-018
Critical This security bulletin resolves newly discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. MS05-019
Critical This security bulletin resolves three newly-discovered, privately-reported vulnerabilities affecting Internet Explorer. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-020
Critical This security bulletin resolves the following vulnerabilities affecting Internet Explorer.; The PNG Image Rendering Memory Corruption vulnerability could allow an attacker to execute arbitrary code on the system because of a vulnerability in the way Internet Explorer handles PNG images.; The XML Redirect Information Disclosure vulnerability could allow an attacker to read XML data from another Internet Explorer domain because of a vulnerability in the way Internet Explorer handles certain requests to display XML content. MS05-025
Critical HTML Help is the standard help system for the Windows platform. Authors can use it to create online Help files for a software application or content for a multimedia title or a Web site. This vulnerability in HTML Help could allow attackers to execute arbitrary code on the affected system via a specially crafted Compiled Windows Help (CHM) file, because it does not completely validate input data. MS05-026
Critical A remote code execution vulnerability exists in the Microsofts implementation of the Server Message Block (SMB) protocol, which could allow an attacker to execute arbitrary codes to take complete control over a target system. This vulnerability could be exploited over the Internet. An attacker would have to transmit a specially crafted SMB packet to a target system to exploit it. However, failure to successfully exploit the vulnerability could only lead to a denial of service. MS05-027
Important A vulnerability exists in the way that Windows processes Web Client requests, which could allow a remote attacker to execute arbitrary code and take complete control over the affected system. MS05-028
Important A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news. MS05-030
Moderate This vulnerability could enable an attacker to spoof trusted Internet content because security prompts can be disguised by a Microsoft Agent character. MS05-032
Moderate This vulnerability in the Microsoft Telnet client could allow an attacker to gain sensitive information about the affected system and read the session variables of users who have open connections to a malicious Telnet server. MS05-033
Critical This vulnerability could allow a remote attacker to execute arbitrary codes on the affected system via a malicious image file in a Web site or email message. This vulnerability exists because of the way Microsoft Color Management Module handles ICC profile format tag validation. MS05-036
Critical A COM object, the JView Profiler (Javaprxy.dll), contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system by hosting a malicious Web site. MS05-037
Critical This security bulletin resolves the following vulnerabilities found in Internet Explorer: (1) JPEG Image Rendering Memory Corruption vulnerability, which allows remote code execution when exploited by a remote malicious user, (2) Web Folder Behaviors Cross-Domain vulnerability, allows information disclosure or remote code execution on an affected system, and (3) COM Object Instantiation Memory Corruption vulnerability, which exists in the way Internet Explorer lists the instances of COM Objects that are not intended to be used in Internet Explorer. MS05-038
Critical An unchecked buffer in the Plug and Play service results in this vulnerability. Once successfully exploited, this vulnerability permits an attacker to have complete virtual control of an affected system. This vulnerability involves a remote code execution and local elevation of privilege. It can be exploited over the Internet. MS05-039
Important This security advisory explains a vulnerability in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. Attackers who successfully exploits the said vulnerability can take complete control of an affected system. They could then install programs, view, change, or delete data, and create new accounts with full user rights. MS05-040
Moderate A remote malicious user can use the process employed by the Remote Desktop Protocol (RDP) to validate data to cause a denial of service (DoS) attack, which stops an affected machine from responding and causing it to automatically restart. MS05-041
Moderate This security bulletin resolves the following vulnerabilities found in Microsoft Windows: (1) the Kerberos vulnerability, which is a denial of service vulnerability that allows an attacker to send a specially crafted message to a Windows domain controller, making the service that is responsible for authenticating users in an Active Directory domain to stop responding, and (2)the PKINIT vulnerability, which is an information disclosure and spoofing vulnerability that allows an attacker to manipulate certain information that is sent from a domain controller and potentially access sensitive client network communication. MS05-042
Critical A remote code execution vulnerability in the Printer Spooler service allows an attacker who successfully exploits this vulnerability to take complete control of the affected system.

I have done a new Hijack This logfile, the results of which are below.

Logfile of HijackThis v1.99.1
Scan saved at 20:05:06, on 31/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\spare1234\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3038977138
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EB9C85-3992-4AEA-B352-6B0C98464DD3}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have also fixed up a firewall.

Thanks again! :)
Ellymoo
Active Member
 
Posts: 13
Joined: August 30th, 2005, 3:25 pm

Unread postby Noviciate » August 31st, 2005, 4:00 pm

Are you sure you posted all the Housecall log? :lol:
I think I need to change that part of my reply in future. :D

On a more serious note, your log looks fine.

Please do the following:

1) Update your anti-virus program.
2) Disable System Restore.
3) Boot into Safe Mode.
4) Scan your computer for viruses.
5) When you get the all clear, reboot into Normal Mode.
6) Re-enable System Restore.
7) Create a Restore Point.

This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The report is mainly due to not having Service Pack 2 installed. It does do a lot for your PC's security so install it if at all possible. The tutorial below contains a link to the Windows Update site. Please go there and download every Critical Update it offers you - this may be a lot!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.



If you have any questions, please ask them.
Safe Surfing. :)
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby Ellymoo » August 31st, 2005, 5:38 pm

Thanks! This is my neighbour's computer and she didn't know anything about firewalls, virus checks, or anything... once I've sorted hers I think I will do a Hijack This check on mine and post it here if that's OK. Hopefully it will be much shorter.

I really appreciate all the help you guys have given me. Thank you very much indeed. :) The only thing I am an expert on is skin care and gerbils and Jessica nail polishes, so I can't be of much use to you!
Ellymoo
Active Member
 
Posts: 13
Joined: August 30th, 2005, 3:25 pm

Unread postby Noviciate » August 31st, 2005, 5:45 pm

Do Gerbils have their nails polished? Live and learn.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby NonSuch » September 14th, 2005, 4:31 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware