Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Hijackthis Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Hijackthis Log

Unread postby Sexual Kev » December 9th, 2005, 1:52 pm

Logfile of HijackThis v1.99.1
Scan saved at 17:50:34, on 09/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kevin\My Documents\System Tools\Trojan Hunter.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\is-4B5UO.tmp\is-S92V7.tmp
C:\Program Files\TrojanHunter 4.2\InstTimeUpdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp7B2B.tmp
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{908DFA85-CE82-4090-B2C2-E6788E8E1C13}: NameServer = 212.74.114.129 212.74.114.193
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Sexual Kev
Active Member
 
Posts: 4
Joined: December 9th, 2005, 1:38 pm
Advertisement
Register to Remove

Unread postby Surreal2 » December 10th, 2005, 6:50 am

Hi and welcome to the Malware Removal site.

I'm checking your log and will post back asap - please be patient until then as researching the log takes a little time.

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby Sexual Kev » December 10th, 2005, 7:21 am

Ok thank you
Sexual Kev
Active Member
 
Posts: 4
Joined: December 9th, 2005, 1:38 pm

Unread postby Surreal2 » December 10th, 2005, 1:10 pm

Hi again - some problems show up in your log. It will take a few steps to clean out the malware so please work carefully through the following.


Step 1
    First, please temporarily disable the real time protection function of Trojan Hunter as it may interfere with the fix. To do this, look for the icon in the lower right corner of your screen (light blue magnifying glass with a red handle), right-click on it and select 'Settings', then click to UN-check both 'Load at startup' and 'Enabled'.
Step 2
  • Click HERE to download smitRem.exe © noahdfear and save it to your desktop - DO NOT RUN IT YET
  • Click HERE) to download Ad-Aware and save it to a convenient location (ie C:/Program Files/Ad-Aware)
    • Navigate to the folder, install and start the program then click the 'globe' button at the top to check for and download any updates
    • When it's downloaded all the updates, close the program - DO NOT RUN A SCAN YET
  • Click HERE and use the 'Download now' button at the bottom of the page to download Ewido Security Suite to a convenient location.
    • Navigate to that folder and click or double-click on ewido-setup.exe to install the program
    • When installing, under 'Additional Options' UN-check 'Install background guard' and UN-check 'Install scan via context menu'
    • When it has installed there should be a big 'E' icon on your desktop, click or double-click it to start the program
    • Click 'OK' when prompted to update it, then on the left-hand side of the main screen click 'Update' and then 'Start'
    • When the updates have been installed, exit Ewido - DO NOT RUN IT YET
Please print out the rest of this post or copy it to Notepad as you will now need to restart your computer in Safe Mode and won't have access to the Internet

Step 3
  • Restart your computer in Safe Mode (restart it and immediately begin repeatedly tapping the 'F8' key until a menu appears, use the arrow keys to highlight 'Safe Mode' and click the 'Enter' key)
  • In Safe Mode go Start --> Control panel --> Folder options, select the View tab, choose to 'Show hidden files and folders' and UN-check both 'Hide protected operating system files' and 'Hide extensions for known file types', then click 'OK' to close the window
Step 4
  • You have the MyWay search toolbar installed. Although this is now owned by 'Ask Jeeves', it is still considered malware because it is installed without giving the user proper information in the download agreement (see HERE if you would like to read more information about this).
  • If you installed MyWay intentionally and find its functions useful, fine, but otherwise I'd recommend removing it. If you agree to do this, please use Windows' Add/Remove Programs feature, look for an entry named 'MyWay Speed Bar’ and choose to remove it.
Step 5
  • Still in Safe Mode, start HijackThis and click 'Do a system scan only', then click to place a checkmark against the following entries:

    O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp7B2B.tmp
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  • If you agreed to remove MyWay, check the following as well - otherwise leave the entries unchecked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

    Ensure there are no open windows/programs except for HijackThis, and click 'Fix checked', then close HijackThis
Step 6
  • Using Windows Explorer, look for and delete the following items shown in BOLD:

    C:\Windows\System32\hp7B2B.tmp <-- delete all instances of files beginning with 'hp' and ending with the '.tmp' extension and having any random letters/numbers between them

    C:\Documents and Settings\Kevin\Local Settings\Temp\ALL <-- select and delete all files in this Temp folder, but do not delete the folder itself
  • If you agreed to remove MyWay, also delete this:

    C:\Program Files\MyWaySA <-- delete this entire folder and all its contents
Step 7
  • Click or double-click on the smitRem.exe file on your desktop and extract the program into its own folder on the desktop
  • Ensure there are no other open programs/windows on your computer then open the folder and click or double click the RunThis.bat file to start the tool
  • Follow the prompts and then wait for the tool to complete and disk cleanup to finish
  • A log named smitfiles.txt will be created in the root of your drive (eg Local Disk C: or the partition where your operating system is installed)
Step 8
  • Ensure all other programs/windows are closed then start Ad-Aware
  • Choose to perform a full system scan and then choose to remove everything it finds, then close the program
Step 9
  • Ensure all other programs/windows are closed then start Ewido
  • Click on 'scanner' and then click 'Complete System Scan' to begin the scan (see note below)
  • When the scan is finished, click 'Save report' and save the report to your desktop, then close Ewido

    NOTE: we are finding cases of 'false positives' with Ewido so you will need to step through the process of cleaning files one-by-one. If Ewido detects a file you know is legitimate, or if you are unsure of any entry, select 'None' as the action - DO NOT select 'Perform action on all infections'.
Step 10
  • Go Start --> Control Panel --> Display --> Desktop --> Customize Desktop --> Web and UN-check 'Security Info' if present
  • Now re-start your computer in Normal Mode
  • Connect to the Internet and click HERE to visit the Panda ActiveScan website
    • Click the 'Scan your PC' button (about halfway down the page) and in the new window that opens click the 'Check Now' button
    • Enter your Country, State/Province and e-mail address (it is safe to do so) and click 'Send', then select either 'Home User' or 'Company' and click the big 'Scan Now' button
    • If Panda asks to install an ActiveX component allow it do do so - it will then download the files it requires (which may take a few minutes)
    • When the download is finished click on 'Local Disks' to start the scan
    • When the scan completes, if anything malicious is detected, click the 'See Report' button, then 'Save Report' and save it to your desktop

Finally, run HijackThis again and post back with the following logs (you may have to put them in separate posts):
  • HijackThis
  • smitRem
  • Ewido
  • Panda
Also, please let me know how your computer is behaving now.


Cheers…
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby Sexual Kev » December 10th, 2005, 4:02 pm

Hi, I have my homepage back and working again thanks but i lost my desktop picture? Everything else seems to be working fine. Below are the four reports you asked for.

Hijackthis Report

Logfile of HijackThis v1.99.1
Scan saved at 19:58:22, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kevin\My Documents\System Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{908DFA85-CE82-4090-B2C2-E6788E8E1C13}: NameServer = 212.74.114.129 212.74.114.193
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Adaware report

Incident Status Location

Adware:Adware/SecurityError Not desinfected C:\Documents and Settings\Kevin\My Documents\System Tools\Hijack This\backups\backup-20051210-184248-955.dll


Ewido Scan Report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:22:16, 10/12/2005
+ Report-Checksum: EEB3B876

+ Scan result:

:mozilla.15:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4qhms1b5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@e-2dj6wgk4ahdjglo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@e-2dj6wjlighdjcco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End


Smitfiles Report


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 10/12/2005
The current time is: 18:49:09.59

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)
Sexual Kev
Active Member
 
Posts: 4
Joined: December 9th, 2005, 1:38 pm

Unread postby Surreal2 » December 12th, 2005, 3:23 pm

Hi - that's cleaned out the rubbish but there's a bit of tidying up and a few more steps to take to ensure all the malware is gone for good.

As before, you might find it helpful to printout this post or copy it to Notepad for easy reference.

Regarding your desktop picture, go Start --> Control Panel --> Display. Click on the 'Desktop' tab, then click the 'Customize Desktop' button. Click on the 'Web' tab. Under 'Web Pages' you should see a checked entry called 'Security info' or something similar. If it is there, select that entry and click the 'Delete' button, then click 'OK' then 'Apply' and 'OK' again.

Next, click on the 'Themes' tab, select 'Windows XP' in the dropdown box and click 'Apply'. Then click on the 'Desktop' tab and select the wallpaper of your choice, then click 'Apply' and then 'OK'.

Let me know if that works.

Once you've done that please work through the following steps:

Step 1
  • Go Start --> Run and in the dialogue box type in: cleanmgr
  • If you have more than one hard drive or hard drive partition, choose each in turn from the drop down box (ignoring floppy/CD/DVD drives)
  • When the computer has scanned the drive, place a checkmark against all the entries in the dialogue box except for 'Compress old files' (unless you want to do this), then click 'OK' to remove the temporary files (if you haven't done this before it might take a while; this is normal)
Step 2
  • Start Internet Explorer, click on Tools --> Internet Options and choose the 'General' tab
    • Click 'Delete Files', then click in the window that opens to place a check against 'Delete all offline content', and finally click 'OK' (again, this might take a while, which is normal)
    • Click 'Clear History' and then click 'OK'
    • I would also recommend clicking on 'Delete Cookies' and then clicking 'OK' (Note - deleting the cookies is likely to mean that you will have to re-enter usernames/passwords to access certain sites, including web-based e-mail accounts)
    • Now move to the 'Programs' tab and click 'Reset Web Settings', then click 'OK' to close the dialogue box
  • Start Firefox, click on Tools --> Options and choose the 'Privacy' tab
    • Click on the 'Clear' button next to Cache (to delete temporary files), History and, I would recommend Cookies (this might take a while, which is normal)
  • If you have more than one user account on the computer, please log into each account in turn and complete the previous steps
Step 3
    You may know that Windows XP has a function called System Restore, which backs up the system from time to time so that you can restore it to a previous state if you have problems (after, say, installing a new program).

    However, when a computer becomes infected it's likely that this backup will include the infections you've just got rid of! Unfortunately there is no way to 'clean' these backups, so they need to be deleted from your computer. That does mean you will lose all the previous restore points - but it's a price worth paying since you won't be able to use them without a high risk of becoming infected again.

    Please therefore:
    1. Turn off System Restore
      • Click on the 'Start' button, then hover the mouse pointer over 'My Computer' and RIGHT-click
      • Click 'Properties' on the pop-out menu
      • Choose the 'System Restore' tab in the new window that opens
      • Click to place a tick mark in the box next to 'Turn off System Restore on all drives'
      • Click 'Apply' and then click 'OK'
    2. Now restart your computer

    3. Turn ON System Restore again
      • Navigate to the 'System Restore' tab as you did before
      • Click to REMOVE the tick mark in the box next to 'Turn off System Restore on all drives'
      • Click 'Apply' and then click 'OK'
      • You may want to set a manual restore point
Step 4
  • Go to Start --> Control panel --> Folder options and select the View tab
  • Click to REMOVE the check mark next to 'Show hidden files and folders' and click to REPLACE the check mark against both 'Hide protected operating system files' and 'Hide extensions for known file types'
  • When you have finished, click 'OK' to close the window
    NB - these settings ensure that important Windows files are 'hidden' so they cannot be accidentally removed.
Step 5
    I asked you to temporarily disable Trojan Hunter's resident protection. To re-enable it, start the program and click to place a check-mark against 'Load at startup' (the icon should reappear in the lower right corner of your screen after you next restart the computer). Note: If you have the free trial version you'll need to manually update the program when the trial period expires.


And that's it (you'll be pleased to hear :D ). But to help protect you against further infections (and also to help prevent criminals using your computer to infect other people's computers on the world wide web), I recommend the following:

Ewido Security Suite. You downloaded the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program - otherwise you can continue to use the trial version but when the trial period ends the automatic update feature will stop working, so you'll have to update it manually.

Ad-Aware. You downloaded this excellent program and I recommend that you use it regularly. Each time you use it, make sure you update to the latest definitions and, after scanning and deleting any malware, always restart your computer since this is necessary to finish removing the infections.

Spybot-Search & Destroy is another excellent tool to have and, like Ad-Aware, it's free for personal use. You can download it from HERE. When you install it you can choose to enable Resident production (Spybot's 'Tea-timer' function). Whenever you run it, always use the 'Search for updates' button first and allow the program to download all updates it finds. When the updates have been installed, click 'Search and Destroy' and then click 'Check for Problems'. When the scan has finished, highlight all problems the program identifies in RED (don't remove/fix items not listed in red) and choose 'Fix Selected Problems'. Again, it's essential to re-start your computer aftter a Spybot scan to finish removing the malware it found.

Always ensure that you keep your Norton Internet Security Suite fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet.

SpywareBlaster. This program adds a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. It's free for personal use, so download it from HERE - and then please click HERE for instructions on installing and using the program.

Windows Updates. The popularity of Windows and Internet Explorer make them a real target for virus writers and hackers. Microsoft regularly produces 'Security updates' to increase your protection against such attacks. I see you have the latest SP2 updates, so please continue to regularly visit the update site, scan for and download all critical updates it finds. You may find it useful to use the Automatic Update feature - you can read more about it and how to set it up HERE. Personally, since I don't want anything happening on my computer without my permission, I set the system to notify me of updates so I can then select to download and install them; but there is also an option to have the updates downloaded and installed automatically.

Finally, you might be interested in reading THIS ARTICLE - "How Did I Get Infected In The First Place"

Please let me know if everything is OK with your computer now. If so, that's it...good luck and safe computing!

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby Sexual Kev » December 12th, 2005, 7:30 pm

Everything is running fine now thanks and i fixed my desktop thank you
Sexual Kev
Active Member
 
Posts: 4
Joined: December 9th, 2005, 1:38 pm

Unread postby NonSuch » December 13th, 2005, 4:26 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27231
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware