Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Hijacker - Hijack this log to analyse, thanks.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser Hijacker - Hijack this log to analyse, thanks.

Unread postby davemate71 » May 31st, 2007, 5:27 pm

For about the last week, my Internet Explorer has been refering me to a site called "tende.biz/ctrl/l2.php". This is a constant source of annoyance more than anything, as far a sI can see there has been no real damage and Firefox, my usual browser is running nicely. I have tried everything, from AVG to Trend Micro's free analyser/remover. I used the trend program as it was the only program mentioning that site when I googled it.

Your help would be appreciated, I am getting to the point where I am ready to format it, however, PC advisor forum pointed me in this direction....

Thanks in anticipation for your help, I shall be away until 4th June so I will check back then but, obviously appreciate your busy schedule and that you also have lives (hopefully!) Just incase you wonder what the "Kontiki" mentioned in the log file is..... It is a TV channel's online, on-demand service. This was installed after the problems started.


Logfile of HijackThis v1.99.1
Scan saved at 22:24:06, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=explorer.exe C:\DOCUME~1\David\LOCALS~1\Temp\cryptfg.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a3b19a73ca1e4386a5ff3e61e351cb35
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a3b19a73ca1e4386a5ff3e61e351cb35
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\David\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.1.74.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dolphinmania2002.spaces.live.com ... nPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - C:\WINDOWS\system32\pr2agnqb.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm
Advertisement
Register to Remove

Unread postby Bob4 » May 31st, 2007, 6:47 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


In your next reply I would like to see:
  • A new HJT log
  • The report from S&D fix


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Not running the batch file

Unread postby davemate71 » June 4th, 2007, 6:37 pm

Thanks for the prompt reply, took all of the steps listed but when access the RunThis batch file, it did nothing. There was no prompt for me to type Y just a very quick flash of the command prompt in the task bar.

Any ideas?
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby Bob4 » June 4th, 2007, 8:38 pm

Please check that there isn't a file called report.txt in the S&D folder. If there is please post that before retrying.



I just have to ask ..

You booted to safe mode?

You extracted the files per the directions?

It may take a few minutes or more to do it's job. You may just have to wait.



If all of that was done correctly lets try redownloading it and trying again.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby davemate71 » June 5th, 2007, 1:19 pm

Ok, will do, maybe I am being too impatient!! :lol:
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unforeseen resolution

Unread postby davemate71 » June 5th, 2007, 6:05 pm

Okay, so here's what has happened, I still did not get any joy with the SDFix batch file, I opened it and left it for about ten mins and still no input box. However, I did run AVG Spyware in the interim and it seems to have cured the problem, it came up with a couple of high priority objects:

C:\Documents and Settings\David\Local Settings\Temp\cryptfg.exe -> Trojan.PolyCrypt.b : Cleaned with backup (quarantined).

C:\MAGIX\Audio_Cleaning_Lab_11\mxcdr\CDR_MediaManager\QMP2DC.DLL -> Dropper.Mkar.e : Cleaned with backup (quarantined).

The second one of these is more of a confusion as my version of Audio Cleaning Lab is a genuine bought copy. I did read in the archives that another file that attached itsefl to a Magix program turned out to be a false positive.

However..... Internet Explorer seems to be fine and maybe we can draw a line under this one for the time being. Thanks for your assistance and I think you can chalk this one up as victory for yourself!! :o
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby davemate71 » June 5th, 2007, 6:06 pm

PS..... If you need another log report then let me know, just to see if anything has changed.

Once again, thanks......
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby Bob4 » June 5th, 2007, 8:18 pm

Lets see if S&D will work like this.

Click start > run > copy and paste:

%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg

Please post another HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

SD Fix no show....... again

Unread postby davemate71 » June 6th, 2007, 6:50 pm

Tried the reg addition but it did not want to play either. Here is the HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 23:49:26, on 06/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a3b19a73ca1e4386a5ff3e61e351cb35
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a3b19a73ca1e4386a5ff3e61e351cb35
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\David\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.1.74.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dolphinmania2002.spaces.live.com ... nPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - C:\WINDOWS\system32\pr2agnqb.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby Bob4 » June 7th, 2007, 6:38 am

Looks better.



___________________________________
DISABLE Spyware Doctor
It is a good program, but ... it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

___________________________


Look in

C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

See if AVG has saved a log for you. If so please post it.




_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.


In your next reply I would like to see:
  • A new HJT log
  • The report from AVG if you have one.
  • The report from Kasperskys.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

AVG Spyware Log

Unread postby davemate71 » June 7th, 2007, 2:10 pm

This is the only one I have done, I can do another scan if it will be of benefit.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:45:05 31/05/2007

+ Scan result:



C:\MAGIX\Audio_Cleaning_Lab_11\mxcdr\CDR_MediaManager\QMP2DC.DLL -> Dropper.Mkar.e : Cleaned with backup (quarantined).
C:\Documents and Settings\David\Cookies\david@channel4.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.101:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.102:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.103:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.105:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\David\Cookies\david@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\David\Cookies\david@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\David\Cookies\david@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\David\Cookies\david@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.36:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.37:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\David\Cookies\david@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.111:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.112:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.114:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.115:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\David\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\David\Cookies\david@www.belstat[2].txt -> TrackingCookie.Belstat : Cleaned.
:mozilla.156:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.254:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.255:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.256:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.257:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.258:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.225:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\David\Cookies\david@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.14:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\David\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\David\Cookies\david@www.etracker[1].txt -> TrackingCookie.Etracker : Cleaned.
:mozilla.320:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.321:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.322:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.323:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.324:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\David\Cookies\david@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.135:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.136:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.137:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.138:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.12:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.13:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.15:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.16:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.17:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\David\Cookies\david@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.285:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.337:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.287:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.288:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\David\Cookies\david@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\David\Cookies\david@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\David\Cookies\david@search.live[2].txt -> TrackingCookie.Live : Cleaned.
:mozilla.168:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.169:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.46:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.7:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.195:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\David\Cookies\david@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\David\Cookies\david@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\David\Cookies\david@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.175:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.176:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.177:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.178:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.163:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.164:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\David\Cookies\david@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.353:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.354:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\David\Cookies\david@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\David\Cookies\david@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\David\Cookies\david@uk.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\David\Cookies\david@www.real[2].txt -> TrackingCookie.Real : Cleaned.
:mozilla.310:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.311:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.312:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.313:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.314:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.315:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\David\Cookies\david@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\David\Cookies\david@news.skype[1].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\David\Cookies\david@secure.skype[1].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\David\Cookies\david@site.skype[2].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\David\Cookies\david@skype[2].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\David\Cookies\david@welcome.skype[1].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\David\Cookies\david@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.118:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.57:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.58:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.42:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.43:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\David\Cookies\david@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\David\Cookies\david@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.93:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.98:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.281:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.282:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.283:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.284:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\d4b10a50.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\David\Local Settings\Temp\cryptfg.exe -> Trojan.PolyCrypt.b : Cleaned with backup (quarantined).


::Report end
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby Bob4 » June 8th, 2007, 7:05 pm

Alrighty. The maker of the S&D fix has worked with me on some problems that may cause it not to run.
It will fix some regisrty entries for the infection you had.
Lets please try redownloading it and trying once more.


_____________________________
Please delete the S&D fix folder and the S&D fix zip file you have downloaded.
Then:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


______________________________


1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


______________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from S&D (hopefully)
  • The report from Combofix


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Back to the drawing board

Unread postby davemate71 » June 8th, 2007, 8:27 pm

SDFix still does not want to play ball in safe mode. I will do the kaspersky scan over the weekend. Just for the record, IE is still working ok but evidently there is some still nastiness going on in there so maybe we are not done here just yet!!
davemate71
Active Member
 
Posts: 9
Joined: May 31st, 2007, 4:52 pm

Unread postby Bob4 » June 8th, 2007, 9:29 pm

Do this. Please hold on the kasperskys for a moment.

With the new copy of S&D downloaded to your C drive.

click start/run
copy this in exactly

%systemdrive%\SDFix\apps\FixPath.exe /Q


hit enter..
A quick black screen will flash ( don't blink) this is normal.

Now go ahead and run S&D fix.
Post that and the combo scan I asked for. Do the S&D fix first. It should repair something that may also stop the combo fix from running.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » June 12th, 2007, 7:28 am

still with me ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 337 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware