Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

karma10 posting Hijack this log per nino russo instructions

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

karma10 posting Hijack this log per nino russo instructions

Unread postby karma10 » November 8th, 2006, 11:39 pm

Logfile of HijackThis v1.99.1
Scan saved at 10:32:53 PM, on 11/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o ... winrep.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0574510065
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41FC0457-1A76-462E-92B5-D68B49FB2D61}: NameServer = 216.12.0.14 216.12.23.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC595601-253F-4A84-A170-8F653D1E994E}: NameServer = 204.111.1.35,204.111.1.36
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia
Advertisement
Register to Remove

Unread postby random/random » November 9th, 2006, 2:30 pm

Why do you think you are infected?
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Because

Unread postby karma10 » November 9th, 2006, 5:50 pm

My internet con has been closing constantly (5-10 times) within a 4 hr period. Brings up a sm box for connection. Then my reg redial comes up &
I clidk on it. After reconnecting a box comes up telling me that I am offline
& and asking if I would like to go online. Well, I am already online....
Also, I ran kapersky 2X & it found several trojan prog. as well as 33
malware items. The trojans were not able to be healed. I ran bit defender about a month ago & found 4 major trojans. But, before I could get the info down my the webpage closed. When I tried to reopen & restart the bit defender scan the program hung for hours. Also, I am running AVG free
add. It did not find any of the embedded trojans when it scanned my mail.
My computer was running great until Oct. Now it is slower than whatever.
And it pretty much denies me access to online scanners. The only reason
kapersky worked is b/c I clicked on it in your webpage while reading about somone elses problems. It found stuff but Drwebb did not. I ran it 2X also according to inst. One of the trojans is in my sys restore.
I can send you the log file of the kapersky rept if you like. Also,
I have my internet con set to do not disconnect.
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 9th, 2006, 6:01 pm

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the combofix log and the Kaspersky report.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Thank you, I downloaded combo, see kapersky & combo rpt

Unread postby karma10 » November 9th, 2006, 8:02 pm

A. Proctor - 06-11-09 18:52:17.50 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\A. Proctor\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-09 to 2006-11-09 ))))))))))))))))))))))))))))))))))

No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-26 01:37 -------- d-------- C:\Documents and Settings\A. Proctor\Application Data\AdobeUM
2006-10-26 01:27 1024 --a------ C:\Documents and Settings\A. Proctor\Application Data\AdobeDLM.log
2006-10-26 01:27 -------- d-------- C:\Program Files\Adobe
2006-10-26 01:26 0 --a------ C:\Documents and Settings\A. Proctor\Application Data\dm.ini
2006-10-26 00:11 -------- d-------- C:\Documents and Settings\A. Proctor\Application Data\Adobe
2006-10-18 10:59 18916 --a------ C:\WINDOWS\SYSTEM32\tfak.dll
2006-10-11 23:20 -------- d-------- C:\Program Files\RegistryFix
2006-10-11 14:00 -------- d-------- C:\Program Files\Windows Defender
2006-10-11 12:04 778656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-09-28 01:45 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,d8,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoLowDiskSpaceChecks"=dword:00000001
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoLogoff"=dword:00000000
"NoStartBanner"=hex:01
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\polic
es\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PavPrSrv"=dword:00000002
"LmHosts"=dword:00000002
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{06DD9AB1-172C-4F34-8C7C-D1B958808427}_ALPHABET-SOUP_A. Proctor.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 06-11-09 18:54:02.63
C:\ComboFix.txt ... 06-11-09 18:54

KASPERSKY ONLINE SCANNER REPORT
Thursday, November 09, 2006 12:28:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/11/2006
Kaspersky Anti-Virus database records: 239344


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 32524
Number of viruses found 2
Number of infected objects 33 / 0
Number of suspicious objects 0
Duration of the scan process 02:17:44

Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Intel(R) 536EP Modem.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10112006-140103.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\ntuser.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\A. Proctor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 16:39:43 +0700]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 03:49:59 -0600]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2000 09:23:54 +0200]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 19:16:05 +0900]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Wed, 17 May 2006 14:22:34 +0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv/Mail/Local Folders-1/Inbox.sbd/Inbox478 Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\My Documents\Thunderbird 1.5 (en-US) - 2006-09-07.pcv ZIP: infected - 8 skipped

C:\Documents and Settings\A. Proctor\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 16:39:43 +0700]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 03:49:59 -0600]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2000 09:23:54 +0200]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 19:16:05 +0900]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Wed, 17 May 2006 14:22:34 +0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 7 skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:06:50 -0400]/UNNAMED/[From LM ][Date Fri, 24 Jun 2005 11:15:24 -0400]/text/[From Get a Free Everyday Meals Cookbook from Gourmet!][Date Wed, 28 Dec 2005 19:30:54 UT] ... /[From eBay Inc ][Date Tue, 10 Jan 2006 06:01:35 -0100]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:06:50 -0400]/UNNAMED/[From LM ][Date Fri, 24 Jun 2005 11:15:24 -0400]/text/[From Get a Free Everyday Meals Cookbook from Gourmet!][Date Wed, 28 Dec 2005 19:30:54 UT]/UNNAMED/[From LM ][Date Tue, 10 Jan 2006 08:23:18 -0500]/EBAY Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:06:50 -0400]/UNNAMED/[From LM ][Date Fri, 24 Jun 2005 11:15:24 -0400]/text/[From Get a Free Everyday Meals Cookbook from Gourmet!][Date Wed, 28 Dec 2005 19:30:54 UT]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:06:50 -0400]/UNNAMED/[From LM ][Date Fri, 24 Jun 2005 11:15:24 -0400]/text Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:06:50 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED/[From LM ][Date Thu, 23 Jun 2005 23:04:14 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts/[From LM ][Date Fri, 10 Jun 2005 11:54:16 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders\Drafts Mail Berkeley mbox: infected - 7 skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 16:39:43 +0700]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 03:49:59 -0600]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2000 09:23:54 +0200]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Tue, 13 Jun 2006 19:16:05 +0900]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED/[From "iframeMONEY" ][Date Wed, 17 May 2006 14:22:34 +0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text/[From "babystyle" ][Date Fri, 9 Jun 2006 23:07:05 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478/[From =?iso-2022-jp?B?cnRo?= ][Date Sun, 11 Jun 2006 21:37:06 -0400]/text Infected: Trojan-Spy.HTML.Fraud.g skipped

C:\Documents and Settings\A. Proctor\Application Data\Thunderbird\Profiles\guew3qn9.default\Mail\Local Folders-1\Inbox.sbd\Inbox478 Mail Berkeley mbox: infected - 7 skipped

C:\Documents and Settings\A. Proctor\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{944ADBC6-11AD-4179-BBC0-3DC529ACB044}\RP513\change.log Object is locked skipped

Scan process completed.
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 10th, 2006, 5:52 pm

Everything Kaspersky detects is in e-mails from these senders:


=?iso-2022-jp?B?cnRo?=
babystyle
LM
Get a Free Everyday Meals Cookbook from Gourmet!

If they aren't your contacts then delete all mail from them

Your computer does not appear to be infected

Since your internet issue would seem to be unrelated to malware I suggest asking at a more general forum such as CastleCops
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Thank you for looking into this. However

Unread postby karma10 » November 11th, 2006, 2:37 am

Thank you for looking at my files & info. However, every time I write an
email, browse something as simple as chef pants, fill out a form for credit or look into buying a car, etc. I receive an email letting me know that everything I have done on my computer is being monitored. I don't mean
the normal emails that you receive from businesses after you browse their
web addresses. I mean tons of emails telling me that I looked at this did
that. Buy a car, get a loan, things about what I have put in private emails
to my family, The names of my children are used as the subjects of these
mails. That cannot be spam. Spam does not mention your children's name.
I am purchasing a new computer, changing all of my credit card, email &
banking, utility, etc passwords as soon as it is set up. I appreciate greatly
what you have done but, I know that there is definitely a program in here
and that (probably) it is a worm or key logger. I just can't find it. Its pretty
awful when you write personal mail & then receive a nasty email with a
false return address citing parts of what you have just written.
This summer I recd. a new Choice Priv. Visa online & got 20 or more
emails talking about my credit, & mentioning the name of the card.
Take care & know that you do good works.
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 12th, 2006, 7:52 am

That's much more worrying and it does sound like a keylogger or something of that kind

If you want to be 100% sure you've cleaned it then you could reformat your computer.

Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

Run an online virus scan called Kaspersky from HERE.

1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. Once finished, save a log as ".txt" to the desktop. And restart.


Post back with the BlackLight and Kaspersky log
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

here is blacklight log. Cannot use kapersky!!!

Unread postby karma10 » November 12th, 2006, 11:39 pm

11/12/06 22:03:18 [Info]: BlackLight Engine 1.0.47 initialized
11/12/06 22:03:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/12/06 22:03:18 [Note]: 7019 4
11/12/06 22:03:18 [Note]: 7005 0
11/12/06 22:03:27 [Note]: 7006 0
11/12/06 22:03:27 [Note]: 7022 0
11/12/06 22:03:27 [Note]: 7011 1376
11/12/06 22:03:28 [Note]: 7026 0
11/12/06 22:03:28 [Note]: 7026 0
11/12/06 22:03:29 [Note]: FSRAW library version 1.7.1020
11/12/06 22:05:07 [Note]: 7007 0
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 13th, 2006, 1:44 pm

Ok, let's try a different online scan

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the
Scan your PC
button
2. A new window will open...click the big
Check Now
button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on
Local Disks
to start the scan
11. Post Panda scan results in your next reply
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Thank you again BUT>>>

Unread postby karma10 » November 15th, 2006, 12:52 am

Now I am unable to use ANY online antivirus program. I can attempt to hit on the button as many times as I like but it just sits there. Kapersky, Panda, you name it. This happened several yrs ago when I had lots of trojan activity. Had to get my system reformatted. Lost mail, passwords, the whole thing was horrible. Now it looks as though it is happening again. This thing has sent my thunderbird mail out of function 2X. Right now I know that my av is just another program taking up space on my HD.
Please forgive the wahs. I just am at a stand still here. Had to dwnld a dialer protect to stop my internet from hanging up repeatedly. I can do anything but scan w/av. That I am absolutely verboten!
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 16th, 2006, 1:12 pm

  • Create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
    This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX. Read here how to unzip/extract properly.
  • Move the lpt$vpn.XXX to the Sysclean-folder you created on your desktop.
  • Open the sysclean-folder and doubleclick sysclean.com.
  • Check: "Automatically clean or delete detected files".
  • Click scan.
Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply, along with a new HijackThis log.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Finally got it to work. Looks like you were right. Thank you

Unread postby karma10 » November 21st, 2006, 3:28 am

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-11-21, 01:29:03, Auto-clean mode specified.
2006-11-21, 01:29:03, Running scanner "C:\Documents and Settings\A. Proctor\Desktop\Sysclean\TSC.BIN"...
2006-11-21, 01:29:37, Scanner "C:\Documents and Settings\A. Proctor\Desktop\Sysclean\TSC.BIN" has finished running.
2006-11-21, 01:29:37, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Nov 21 2006 01:29:05

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\A. Proctor\Desktop\Sysclean\tsc.ptn" (version 806) [success]

Complete time : Tue Nov 21 2006 01:29:37
Execute pattern count(2971), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-11-21, 02:15:01, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/21/2006 01:30:19
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 943 (142952 Patterns) (2006/11/20) (394300)
Command Line: C:\Documents and Settings\A. Proctor\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\A. Proctor\Desktop\Sysclean

34150 files have been read.
34150 files have been checked.
32243 files have been scanned.
54140 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/21/2006 02:14:59
---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-21, 02:15:02, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/21/2006 01:30:19
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 943 (142952 Patterns) (2006/11/20) (394300)
Command Line: C:\Documents and Settings\A. Proctor\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\A. Proctor\Desktop\Sysclean

34150 files have been read.
34150 files have been checked.
32243 files have been scanned.
54140 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/21/2006 02:14:59 44 minutes 35 seconds (2675.74 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-21, 02:15:02, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/21/2006 01:30:19
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 943 (142952 Patterns) (2006/11/20) (394300)
Command Line: C:\Documents and Settings\A. Proctor\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\A. Proctor\Desktop\Sysclean

34150 files have been read.
34150 files have been checked.
32243 files have been scanned.
54140 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/21/2006 02:14:59 44 minutes 35 seconds (2675.74 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-21, 02:15:02, Scanner "C:\Documents and Settings\A. Proctor\Desktop\Sysclean\VSCANTM.BIN" has finished running.
_____________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 2:26:18 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o ... winrep.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... se8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0574510065
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41FC0457-1A76-462E-92B5-D68B49FB2D61}: NameServer = 216.12.0.14 216.12.23.244
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia

Unread postby random/random » November 21st, 2006, 12:24 pm

Use notepad to open this file:

C:\windows\system32\drivers\etc\hosts

And post the contents in your next reply.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Sorry, guess I am an idiot

Unread postby karma10 » November 21st, 2006, 1:42 pm

I do not know how to use notepad to open th file. Please explain.
Thank you
karma10
Active Member
 
Posts: 10
Joined: November 8th, 2006, 11:43 am
Location: Virginia
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 468 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware