Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trj/Mitglieder.GB -- found by Panda Online

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trj/Mitglieder.GB -- found by Panda Online

Unread postby Patsy » December 30th, 2005, 8:44 pm

Returned mail: Service unavailable -- Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been sent. (I DIDN'T send the mail. Didn't recognize anyone on the list they sent back to me).

Panda said Virus:Trj/Mitglieder.GB Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\Mail\mail.ev1.net\Inbox[1.exe]


Logfile of HijackThis v1.99.1
Scan saved at 6:28:12 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://www.timebomb2000.com/vb/forumdisplay.php?s=&forumid=9");

(C:\Documents and Settings\Owner\Application

Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBW

eb_01.src"); (C:\Documents and Settings\Owner\Application

Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program

Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program

Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -

C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{A22A058E-FA03-4678-AFCE-F2E1C96D65A9}:

NameServer = 209.63.0.6 207.173.86.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program

Files\Spyware Doctor\sdhelp.exe
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am
Advertisement
Register to Remove

Unread postby NonSuch » December 31st, 2005, 8:07 pm

Patsy,

You may very likely not have a malware problem. If your e-mail address appears in the address book of an infected computer, that infected computer may send out mass e-mails, using addresses it finds in the address book in order to make it appear that the e-mails are coming from those addresses rather than the infected computer itself.

Please carefully read all the instructions below as it is very important that you follow them exactly as written. (As you are using AVG antivirus, please pay particular attention to the "NOTE" for the ewido scan). Since part of the time you will be in safe mode and, therefore, unable to access the internet, you should also print out a copy of these instructions so you have them readily at hand.

First, you have HijackThis on your Desktop, and this is okay, except that it must be in a folder. Please create a new folder on your Desktop by right clicking on a blank spot, select "New" then "Folder." Name the folder HJT, HijackThis, or something similar. Next, drag and drop HijackThis.exe into that new folder.

Let's do some cleaning and then see how your next HijackThis log looks.

Note: When you scan with ewido, it is extremely important that you do so in Safe Mode; otherwise, it may not delete all the infections it finds.

First, download, install, and run CCleaner (so the scan won't take as long because CCleaner will clear out temporary files) *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on "Options" at the top of the window, then click on the "advanced" button. deselect "Only delete files in Windows Temp folders older than 48 hours." Click on "OK."
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

Please download ewido anti-malware
  • Install ewido anti-malware
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
  • Launch ewido, there should be a big "E" icon on your desktop, double-click it.
  • The program will prompt you to update click the "OK" button
  • The program will now go to the main screen

    You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start

    The update will start and a progress bar will show the updates being installed.
    After the updates are installed, exit ewido.


    Once the updates are installed do the following:

  • If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  • Click on scanner
  • Click on Settings
    • Under "How to scan" all boxes should be selected
    • Under "Possibly unwanted software" all boxes should be selected
    • Under "What to scan" select scan every file
    • Click OK
  • Click on Complete system scan
  • Let the program scan the machine
  • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

  • Click Save report
  • Save the report to your desktop


Reboot into normal mode.


Then, please run this online virus scan:
ActiveScan NOTE: You will need to use Internet Explorer to run this scan as it requires ActiveX!

Save the results from ActiveScan.

Please post the log from Ewido, the log from ActiveScan, and a new HijackThis log into this topic. Read the instructions below before creating the new HijackThis log...

Please note: Your current HijackThis log is badly formatted, making it extremely difficult to read. Please do the following...

Run Hijack This and Click on "scan." Now click on "Save log." The log will open in Notepad. Click on Format. If the item - Wordwrap - is checked, then uncheck it. Now copy and paste the log into your next reply. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby Patsy » January 3rd, 2006, 10:27 am

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:53:26 AM, 1/3/2006
+ Report-Checksum: F6EB037B

+ Scan result:

:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup


::Report End
---------------------------------------------

Incident Status Location

Virus:Trj/Mitglieder.GB Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\Mail\mail.ev1.net\Inbox[1.exe]
--------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:18:20 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.timebomb2000.com/vb/forumdisplay.php?s=&forumid=9"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A22A058E-FA03-4678-AFCE-F2E1C96D65A9}: NameServer = 209.63.0.6 207.173.86.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby NonSuch » January 3rd, 2006, 9:51 pm

Well, ewido cleaned out a bunch of spyware cookies, but nothing else turned up. The only thing that shows up is this...
Virus:Trj/Mitglieder.GB Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\Mail\mail.ev1.net\Inbox[1.exe]

That looks like something sitting in your mailbox. I suggest you empty your deleted e-mail folder, your sent e-mail folder, and clear out all the stuff that's probably sitting in your inbox that really isn't needed, etc. Get rid of all the junk and you'll very likely get rid of this too. You can also use Windows Explorer to go to the file path and manually delete the file that looks like it's in your inbox...

C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\Mail\mail.ev1.net\Inbox[1.exe]

This is most likely an e-mail with an attachment. It may even be in that e-mail that was sent to you, stating that you tried to send a virus infected e-mail. In any event, it's certainly better that it's confined there and not set loose on your system.

NOTE: Depending on your e-mail program, it is possible that you may need to compact the e-mail files/folders before the e-mails will be completely deleted from your system. The setting to do this in Outlook Express would be found under File > Folder > Compact. However, I do not know what the setting would be in Netscape and/or Thunderbird, but there may be a similar setting.

Other than that, your computer appears to be clean. :)

Clear out some of the stuff I suggested, and see if you can delete the above file, then let's try a Kaspersky antivirus scan to see if it locates anything...

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby NonSuch » January 10th, 2006, 5:14 am

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 488 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware