Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

How do you remove spy.xtl and conhook.y?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

How do you remove spy.xtl and conhook.y?

Unread postby adik » September 22nd, 2007, 6:34 pm

Hi, would anyone be kind enough to instruct me on the removal of the above mentioned trojans (I'm assuming that they are trojans). The following is the

BitDefender Online Scanner



Scan report generated at: Sat, Sep 22, 2007 - 07:05:06





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;







Statistics

Time
00:34:35

Files
128374

Folders
3841

Boot Sectors
7

Archives
7368

Packed Files
6026




Results

Identified Viruses
6

Infected Files
16

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
14




Engines Info

Virus Definitions
823281

Engine build
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>BnnnnBaa.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>BnnnnBaa.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>BnnnnBaa.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>VaannnaaBaa.class
Infected with: Trojan.Java.Classloader.E

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>VaannnaaBaa.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>VaannnaaBaa.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>Dnnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>Dnnny.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip=>Dnnny.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2606f78c-2d5dbd16.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>BnnnnBaa.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>BnnnnBaa.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>BnnnnBaa.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>VaannnaaBaa.class
Infected with: Trojan.Java.Classloader.E

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>VaannnaaBaa.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>VaannnaaBaa.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>Dnnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>Dnnny.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip=>Dnnny.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-73df5e6e-45c4fd8c.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-3a6adc24.zip=>HiPointInstallShieldRT.class
Infected with: Trojan.Downloader.Small.DKO

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-3a6adc24.zip=>HiPointInstallShieldRT.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-3a6adc24.zip=>HiPointInstallShieldRT.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-3a6adc24.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-47af28cf.zip=>HiPointInstallShieldRT.class
Infected with: Trojan.Downloader.Small.DKO

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-47af28cf.zip=>HiPointInstallShieldRT.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-47af28cf.zip=>HiPointInstallShieldRT.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-47af28cf.zip
Updated

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-587f64d2.zip=>HiPointInstallShieldRT.class
Infected with: Trojan.Downloader.Small.DKO

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-587f64d2.zip=>HiPointInstallShieldRT.class
Disinfection failed

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-587f64d2.zip=>HiPointInstallShieldRT.class
Deleted

C:\Documents and Settings\Yeati\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-587f64d2.zip
Updated

C:\Documents and Settings\Yeati\Local Settings\Application Data\Identities\{9859BD39-DF40-4FC9-A922-7510853BFB6C}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 657)
Infected with: Generic.Trojan.Phish.E26DC17B

C:\Documents and Settings\Yeati\Local Settings\Application Data\Identities\{9859BD39-DF40-4FC9-A922-7510853BFB6C}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 657)
Disinfection failed

C:\Documents and Settings\Yeati\Local Settings\Application Data\Identities\{9859BD39-DF40-4FC9-A922-7510853BFB6C}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 657)
Deleted

C:\Documents and Settings\Yeati\Local Settings\Application Data\Identities\{9859BD39-DF40-4FC9-A922-7510853BFB6C}\Microsoft\Outlook Express\Deleted Items.dbx
Update failed

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055333-488.dll
Infected with: Trojan.Conhook.Y

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055333-488.dll
Disinfection failed

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055333-488.dll
Deleted

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055403-441.dll
Infected with: Trojan.Conhook.Y

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055403-441.dll
Disinfection failed

C:\Program Files\Trend Micro\HijackThis\backups\backup-20070922-055403-441.dll
Deleted

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000379.dll
Infected with: Trojan.Conhook.Y

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000379.dll
Disinfection failed

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000379.dll
Deleted

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000380.dll
Infected with: Trojan.Conhook.Y

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000380.dll
Disinfection failed

C:\System Volume Information\_restore{E93D0057-3712-43BA-BD09-36CAC712760A}\RP2\A0000380.dll
Deleted

C:\WINDOWS\system32\AppCert\wnl32.dll
Infected with: Trojan.Spy.XTL

C:\WINDOWS\system32\AppCert\wnl32.dll
Disinfection failed

C:\WINDOWS\system32\AppCert\wnl32.dll
Delete failed

C:\WINDOWS\system32\cryptnetf.dll
Infected with: Trojan.Conhook.Y

C:\WINDOWS\system32\cryptnetf.dll
Disinfection failed

C:\WINDOWS\system32\cryptnetf.dll
Delete failed



and this is the


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:40:38, on 22/09/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D1EE0057-3B51-4F14-8C17-C4A6E979E0D6} - c:\windows\system32\atiddcf.dll
O2 - BHO: (no name) - {D29CC861-5ABF-45A8-92D6-C936A3908710} - C:\WINDOWS\System32\cryptnetf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: enyvkybq - C:\WINDOWS\SYSTEM32\atiddcf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7727 bytes



Thanks in advance


Adik
adik
Active Member
 
Posts: 3
Joined: September 22nd, 2007, 5:02 am
Top
Advertisement
Register to Remove

Unread postby Bob4 » September 23rd, 2007, 8:37 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.




Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!



-----------------------------------------------------------
Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Reply button and we should be able to get you cleaned. ;)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Top

Not sure if I've managed to get SP1

Unread postby adik » September 24th, 2007, 1:21 pm

Hi, I tried to get sp1 on but ran into problems. Is there a walk round this problem? Here's a new HJT log. hope its of some use to you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:02, on 24/09/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\12Ghosts\12popup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D1EE0057-3B51-4F14-8C17-C4A6E979E0D6} - c:\windows\system32\atiddcf.dll
O2 - BHO: (no name) - {D29CC861-5ABF-45A8-92D6-C936A3908710} - C:\WINDOWS\System32\cryptnetf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-725345543-162531612-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-725345543-162531612-839522115-1003 Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe (User '?')
O4 - S-1-5-21-725345543-162531612-839522115-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0555580951
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: enyvkybq - C:\WINDOWS\SYSTEM32\atiddcf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8145 bytes

cheers
adik
Active Member
 
Posts: 3
Joined: September 22nd, 2007, 5:02 am
Top

Unread postby Bob4 » September 24th, 2007, 6:09 pm

Before we can go on any futher we need to find out why you cannot validate your copy of XP. And how you can hopefully solve the problem. We will not carry on any futher in cleaning your computer as it is important to solve this one first.


If you go to http://www.microsoft.com/genuine/downlo ... idate.aspx? and validate your install, in cases where it is not a valid install, you'll be given a page to print out (so you can take it to the seller) and that, depending on the circumstance (including when you bought the software) you may also be eligible for a promotional rate on a legit Windows License. The FAQ for that section can be found here:
<http://www.microsoft.com/genuine/purchase/purchasefaq.aspx>

You should go back to the point of purchase and explain to the retailer you bought this from what you are experiencing regarding the validation of the copy.

If that fails you can contact Microsofts Customer Service on:

UK - Monday to Friday, 8am to 6pm, call 0870 60 10 100
US - Monday through Friday, 8 A.M. to 10 P.M. (Eastern Time), at (888) 218-5617 (toll-free in the United States).

Explain your problem. and they will pass you through to the right department.

Please let me know what you learn .
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Top

okie dokie

Unread postby adik » September 24th, 2007, 7:32 pm

I'll get on to it, thx.
adik
Active Member
 
Posts: 3
Joined: September 22nd, 2007, 5:02 am
Top

Unread postby Elrond » October 2nd, 2007, 9:29 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 141 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index