Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Terrible Winfixer and WinAntiVirus205 ProPop Ups ,need help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Terrible Winfixer and WinAntiVirus205 ProPop Ups ,need help.

Unread postby szaku » October 26th, 2005, 6:55 am

Everytime when using Internet Explorer to surf net , winfixer and WinAntiVirus2005 Pro will automaticaly pops up although i never install them before . Please help me , I am really hate about those Pop Ups .
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am
Advertisement
Register to Remove

My Hijack This Log

Unread postby szaku » October 26th, 2005, 6:58 am

My Hijack this log file is :

Logfile of HijackThis v1.99.1
Scan saved at 7:05:56 PM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - D:\WINDOWS\system32\awvvt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4520174296
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\SawFamily\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0224FB4-5A83-4471-AF8F-BEE472336D2C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvvt - D:\WINDOWS\system32\awvvt.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 26th, 2005, 11:46 am

Hi szaku...

Welcome to the forum. My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Please do not start another Thread\Topic.

Thank You,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » October 26th, 2005, 1:50 pm

Hi szaku...
_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========

Please download and install CCleaner from here
(Note: DO NOT run this program yet)

Step 2.
==========

Please download VundoFix.exe from here to your desktop.
- Double-click VundoFix.exe to extract the files...This will create a VundoFix folder on your desktop.
- After the files are extracted, please reboot your computer into Safe Mode.

Step 3.
==========

- Reboot computer into "Safe Mode" Using the {b]F8[/b] method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - [color=Orange]here)[/color]

Step 4.
==========

We need to make sure all hidden files are showing...
  • Open "My Computer".
  • Click on "Tools" and from the drop down menu select "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
  • UNCHECK the "Hide file extensions for known types option".
  • UNCHECK the "Hide protected operating system files (recommended) option".
  • Click "Yes" to confirm.
  • Click "OK".
Step 5.
==========

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at. It should look like this
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....
  • At this point press enter one time.
  • Next you will see:
    Please Type in the filepath as instructed by the forum staff and then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      D:\WINDOWS\system32\awvvt.dll
  • Press Enter to continue with the fix.
  • Next you will see:
    Please type in the second filepath as instructed by the forum staff Then Press Enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      D:\WINDOWS\system32\tvvwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Step 6.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure your Recycle Bin is empty.

Step 7.
==========

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your Valid Email
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results in your next reply

Step 8.
==========

- Post a fresh new HijackTHis log
- Post the Vundofix.txt log
- Post the Panda ActiveScan results
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby szaku » October 27th, 2005, 10:55 am

I think I will do it tomorrow , because I am a bit busy lately . Anyway , thanks a lot !! :D
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 27th, 2005, 11:10 am

No problem...I will be waiting for your reply.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby szaku » October 28th, 2005, 1:59 am

:D :D . . .

I think i hv get rid of it , haha , luckily and finally . Thanks very much .

This is my HJT log :
Logfile of HijackThis v1.99.1
Scan saved at 1:56:43 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - D:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4520174296
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\SawFamily\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0224FB4-5A83-4471-AF8F-BEE472336D2C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvvt - D:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe







Vundo fix Log :

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was D:\WINDOWS\system32\awvvt.dll

The second filepath entered was D:\WINDOWS\system32\tvvwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'

Killing PID 756 'explorer.exe'
Killing PID 756 'explorer.exe'


Killing PID 232 'winlogon.exe'
Killing PID 232 'winlogon.exe'
Error 0x5 : Access is denied.

--------------------------------------------------------------------------------------

D:\WINDOWS\system32\awvvt.dll Deleted sucessfully.
D:\WINDOWS\system32\tvvwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



Panda Scan result :

Spyware:spyware/dyfuca No disinfected D:\Documents and Settings\SawFamily\Local Settings\Temp\cfout.txt
Adware:adware/block-checker No disinfected D:\WINDOWS\SYSTEM32\ustart.exe
Spyware:spyware/virtumonde No disinfected Windows Registry
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby szaku » October 28th, 2005, 2:06 am

I also wanna ask a question , does the spyware/adware Dyfuca , block - checker and virtumonde affect my com. ?

But when I used Ad-aware SE personel , it can't found any of those , I am somehow worried about it , will they gv me problem ?

Thanks .
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 28th, 2005, 8:03 pm

Hi...

There is a possiblility that they are False Positives but lets go through the process...
_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========

Please download Ewido Security Suite from here
(Note: As this is a trial version, after the 14 day trial period has expired Ewido will lose some functionality with it. Ewido will then will work as an On-Demand program, make sure to check for updates regularly).
  1. Install ewido security suite
  2. When installing the program, under "Additional Options" uncheck...
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should now be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  8. Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Step 2.
==========

Let's cleanup those files Panda found...If you have a problem deleting them in "Normal Mode" try again after your in "Safe Mode"
- Delete the following File(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
File(s)...
D:\WINDOWS\SYSTEM32\ustart.exe <<<= Delete This File
D:\Documents and Settings\SawFamily\Local Settings\Temp\cfout.txt <<<= Delete This File

Step 3.
==========

- Reboot computer into "Safe Mode" Using the F8 method...

Step 4.
==========

Please make sure all hidden files are still showing..

Step 5.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure your Recycle Bin is empty.

Step 6.
==========

Start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
Step 7.
==========

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your Valid Email
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results in your next reply

Step 8.
==========

- Post a fresh new HijackTHis log
- Post the Ewido log scan
- Post the Panda ActiveScan results
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby szaku » October 29th, 2005, 3:00 am

Okay , I hv done all above .

New HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 3:00:39 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - D:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4520174296
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\SawFamily\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0224FB4-5A83-4471-AF8F-BEE472336D2C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvvt - D:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:29:39 PM, 10/29/2005
+ Report-Checksum: 1D45108D

+ Scan result:


D:\WINDOWS\system32\temp.exe -> Spyware.WinAD : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp\SAccU.exe -> Spyware.SurfAccuracy : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> Spyware.Cookie.Com : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> Spyware.Cookie.Com : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> Spyware.Cookie.Clickzs : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppq17F.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
D:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> Spyware.Cookie.Hypertracker : Cleaned with backup
E:\TEMP\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
G:\EA GAMES\downloaded\MsgPlus-252.exe/70000011.exe -> TrojanDownloader.Swizzor.af : Error during cleaning
G:\Warcraft III\War3TFTv1.17-NoCDVirtualFixedexeAll.rar/revolt.dll -> Trojan.Zapchast : Error during cleaning
G:\Program Files\Altnet\Download Manager\asm.exe -> Spyware.Altnet : Cleaned with backup
G:\downloaded\block-checker-xp.exe/2 -> Spyware.Chiem : Cleaned with backup


::Report End






Panda scan results :




Adware:adware/block-checker No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected D:\Program Files\Spyware Nuker 2004\backup\200510101422.zip[alchem.inf.000]
Spyware:Spyware/Virtumonde No disinfected D:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP483\A0099791.dll
Adware:Adware/WinAD No disinfected D:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103536.exe
Adware:Adware/SurfAccuracy No disinfected D:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103537.exe
Spyware:Spyware/Altnet No disinfected G:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103538.exe
Virus:Trj/Zapchast.S No disinfected G:\Warcraft III\War3TFTv1.17-NoCDVirtualFixedexeAll.rar[revolt.dll]
Spyware:Spyware/Altnet No disinfected G:\Program Files\Digital Fusion\Altnet\Download Manager\asm.exe




Okay , the above is the results . I think the results are a little bit more because before this , I juz scan my (D:) instead of scanning the (G:) partition . Now I hv done the full scan . :D
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 29th, 2005, 3:50 pm

Hi...

1) Quick question...is this your ISP (Internet Service Provider) => 202.188.0.133??

2) I can also see that you are running iMesh. I recommend you remove\uninstall it as it is listed as "Infected" at SpywareInfo's Clean and Infected File Sharing Programs page found here

3) You are also running FlashGet...The unregistered version of FlashGet serves up Ads in Internet Explorer that are downloaded from Cydoor servers. I would suggest removing it if it is this version. The registered version supposedly does not... so it should be ok. I usually recommend Leechget.

4) You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find Safer Alternatives.

OK...let's get started...
_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========

If you decided to remove the programs I mentioned above then run this step otherwise go on to step 2
We need to uninstall some programs using "Add or Remove Programs" in the Control Panel:
  1. Get into Control Panel.
  2. Double-click "Add or Remove Programs".
  3. Look in the Currently installed programs box for each program listed below and if it is there:
    1. Click on it to select it.
    2. Click Change (or Change/Remove) button.
    3. If you are prompted to confirm the removal of the program, click "Yes"
DAP
FlashGet
iMesh


Step 2.
==========

- Reboot computer into "Safe Mode" Using the F8 method...

Step 3.
==========

Please make sure all hidden files are still showing...

Step 4.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
Only if you uninstalled the program
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - D:\WINDOWS\system32\awvvt.dll (file missing)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - D:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
Only if you uninstalled the program
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll Only if you uninstalled the program
O4 - HKLM\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKLM\..\RunServices: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\Run: [NvUpdater] nwiz32.exe
O4 - HKCU\..\Run: [CTUpdate] ctupdclt.exe
O4 - HKCU\..\RunServices: [NvUpdater] nwiz32.exe
O4 - HKCU\..\RunServices: [CTUpdate] ctupdclt.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
Only if you uninstalled the program
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm Only if you uninstalled the program
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm Only if you uninstalled the program
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm Only if you uninstalled the program
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing) Only if you uninstalled the program
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing) Only if you uninstalled the program
O20 - Winlogon Notify: awvvt - D:\WINDOWS\system32\awvvt.dll (file missing)

- Click the "Fix checked" button.
- Close HijackThis

Step 2.
==========

- Delete the following Folder(s) and File(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
Folder(s)...
D:\Program Files\DAP <<<= Delete This Folder =>>> Only if you uninstalled the program
D:\Program Files\FlashGet <<<= Delete This Folder =>>> Only if you uninstalled the program
D:\Program Files\iMeshBar <<<= Delete This Folder =>>> Only if you uninstalled the program

File(s)...
D:\WINDOWS\SYSTEM32\awvvt.dll <<<= Delete This File
G:\Warcraft III\War3TFTv1.17-NoCDVirtualFixedexeAll.rar <<<= Delete This File

(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
D:\Windows\System32\nwiz32.exe <<<= Delete This File
D:\Windows\System32\nwictupdclt.exe <<<= Delete This File

Step 5.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure your Recycle Bin is empty.

Step 6.
==========

Start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
Step 8.
==========

- Reboot computer into "Normal Mode"
- Post a fresh new HijackTHis log
- Post the Ewido log scan
Last edited by dobhar on October 30th, 2005, 3:34 pm, edited 1 time in total.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby szaku » October 30th, 2005, 5:21 am

Hihi , my new HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 AM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\NOTEPAD.EXE
d:\progra~1\common~1\instal~1\update~1\isuspm.exe
D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4520174296
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\SawFamily\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0224FB4-5A83-4471-AF8F-BEE472336D2C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:05:34 AM, 10/30/2005
+ Report-Checksum: 5AE8559D

+ Scan result:


D:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103536.exe -> Spyware.WinAD : Cleaned with backup
D:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103537.exe -> Spyware.SurfAccuracy : Cleaned with backup
G:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103538.exe -> Spyware.Altnet : Cleaned with backup
G:\System Volume Information\_restore{C0485098-D727-4240-9FAC-ED1CAF2801EE}\RP484\A0103539.exe/2 -> Spyware.Chiem : Error during cleaning
G:\EA GAMES\downloaded\MsgPlus-252.exe/70000011.exe -> TrojanDownloader.Swizzor.af : Error during cleaning


::Report End
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 30th, 2005, 3:46 pm

Hi szaku...

Very nice job... :)

Your log is looking quite clean. Unfortunately I did miss telling you to delete one more file from your G: drive that the Ewido Scan picked up.

Also I need you to answer this questtion...Is this your ISP (Internet Service Provider) => 202.188.0.133?? <<<= This is a clickable link.

So lets get rid of that file...
_____________________________________

Step 1.
==========

- Delete the following File(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
File(s)...
G:\EA GAMES\downloaded\MsgPlus-252.exe <<<= Delete This File
(Note: If you have a problem deleting this file in Normal Mode try it in Safe Mode)

Step 8.
==========

- Post one last fresh new HijackTHis log
- Is 202.188.0.133 from your ISP??
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby szaku » October 31st, 2005, 2:58 am

Oh sorry dobhar , I miss out your question in previous reply , 202.188.0.133 is my ISP address .

This is my fresh HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 3:05:22 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4520174296
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\SawFamily\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0224FB4-5A83-4471-AF8F-BEE472336D2C}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



Thanks a lot dobhar .
szaku
Active Member
 
Posts: 11
Joined: October 26th, 2005, 6:39 am

Unread postby dobhar » October 31st, 2005, 3:13 am

Hi szaku...

Congrats... :D Your log seems to be clean. Nice Job... :)

I can find nothing bad listed so I'm also posting my standard {All Clean} speech below. It has good information and some recommended tools (Recommended by all who deal with Spyware Nasties). Tools like SpywareBlaster => SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Definitley recommended!!
____________________________________

The last thing I need you to do is to reset your "Hidden files and folders". System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion...
- Open "My Computer".
- Click on "Tools" and from the drop down menu select "Folder Options".
- Select the "View" tab.
- Under the Hidden files and folders heading UNSELECT "Show Hidden files and folders".
- CHECK the "Hide protected operating system files (recommended) option".
- Click "Yes" to confirm.
- Click "OK".
___________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore or Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources
  4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware
  10. Install IE-SPYAD - IE-SPYAD adds a list of sites and domains associated with advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. A tutorial on installing & using IE-SPYAD can be found here:
    Using IE-Spyad to enhance your privacy and security
  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad we were able to help.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware