Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log file - Please advise next step ......

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijack This Log file - Please advise next step ......

Unread postby silver » September 1st, 2008, 10:16 pm

Hi Saxon,

Yes, if you bought your computer with Windows preinstalled, the manufacturer should have provided a recovery CD or some method to reinstall the operating system. If nothing has been provided you should contact the manufacturer and ask for it. I recommend you do this whether we continue cleaning or not, because in the event of a major system problem like a hard drive failure, your system may not be recoverable and you need some way to reinstall.

For now I will assume that we will continue cleaning:

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following line:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Download F-Secure Blacklight to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double click fsbl.exe to run it, choose I accept the agreement then press Scan
  • It will create the fsbl-xxxxxxx.log on your desktop containing a list of all items found.
  • Do not choose to rename any because legitimate items can also be present.
  • Exit Blacklight and post the contents of the log in your next reply.

------------------------------------------------------------------------

Download Dr.Web CureIt to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click launch.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

------------------------------------------------------------------------

Once complete, please post the Blacklight report, the Dr Web Cureit scan log and a new HijackThis log.
Also, let me know how your computer is running now.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

BlackLight Report

Unread postby saxon » September 2nd, 2008, 3:45 pm

09/02/08 05:55:29 [Info]: BlackLight Engine 1.0.70 initialized
09/02/08 05:55:29 [Info]: OS: 5.1 build 2600 (Service Pack 3)
09/02/08 05:55:29 [Note]: 7019 4
09/02/08 05:55:29 [Note]: 7005 0
09/02/08 05:55:40 [Note]: 7006 0
09/02/08 05:55:40 [Note]: 7011 2492
09/02/08 05:55:40 [Note]: 7035 0
09/02/08 05:55:40 [Note]: 7026 0
09/02/08 05:55:40 [Note]: 7026 0
09/02/08 05:55:44 [Note]: FSRAW library version 1.7.1024
09/02/08 20:42:48 [Note]: 7007 0
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

DrWeb Report

Unread postby saxon » September 2nd, 2008, 3:46 pm

data007\yhelper.dll;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data007;Adware.Yassist.21;;
data007;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data016\sremove.exe;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data016;Adware.Yassist.origin;;
data016;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data002\data001;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045\data002;Adware.Cdn;;
data002\data002;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045\data002;Adware.Cdn;;
data002;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045;Archive contains infected objects;;
data045;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data013\data049;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Adware.Cdn;;
data013;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe;Archive contains infected objects;;
DivXInstaller.exe;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Sean Cross\My Documents\Malware Removal\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Sean Cross\My Documents\Malware Removal;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Re: Hijack This Log file -

Unread postby saxon » September 2nd, 2008, 3:53 pm

I can't get Hijack This to work. When I double click on the icon it keeps saying "Hijack This is already running but I can't see where?? Is there any way to stop this running and start again???
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Re: Hijack This Log file - Please advise next step ......

Unread postby silver » September 2nd, 2008, 9:28 pm

Hi,

An easy way to resolve the HijackThis problem is to log off and log back on again, or to reboot. Alternatively, you can open Task Manager (hold down Ctrl & Shift then press Esc), select the task hijackthis.exe and press End Task.

After performing any of the above you should be able to run HijackThis normally. The problem usually occurs when you close HijackThis before it finishes it's scan.

The Dr Web log doesn't appear to be complete, please re-post it along with a new HijackThis log.
Also, tell me how your computer is running now.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

DrWeb Report

Unread postby saxon » September 3rd, 2008, 12:24 am

data007\yhelper.dll;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data007;Adware.Yassist.21;;
data007;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data016\sremove.exe;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data016;Adware.Yassist.origin;;
data016;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data002\data001;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045\data002;Adware.Cdn;;
data002\data002;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045\data002;Adware.Cdn;;
data002;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013\data045;Archive contains infected objects;;
data045;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Archive contains infected objects;;
data013\data049;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe\data013;Adware.Cdn;;
data013;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe;Archive contains infected objects;;
DivXInstaller.exe;C:\Documents and Settings\Sean Cross\Local Settings\Temp\DivD9.tmp;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Sean Cross\My Documents\Malware Removal\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Sean Cross\My Documents\Malware Removal;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

New Hijack This Log

Unread postby saxon » September 3rd, 2008, 12:24 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:21:53, on 03/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6070111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6070111
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&c ... bd=6070111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d84bed694a4a408583fa81f8ac377258
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d84bed694a4a408583fa81f8ac377258
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://217.36.62.6/+CSCOL+/relayp.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {7BD55BC6-2C42-424F-9D02-E4DE70182D9C} (TelnetLauncher Control) - http://e-learning.nil.si/TelnetLauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-09c9dde21deb72e1.spaces.live ... nPUpld.cab
O16 - DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} (ActiveXATS.ActiveXDemo2) - http://cl-0063.web.uk.netscalibur.com/s ... veXATS.CAB
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB7 ... Upload.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10014 bytes
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Machine Performance

Unread postby saxon » September 3rd, 2008, 12:37 am

My machine is definately running much better now. All the pop ups have stopped and there are no signs of the Antivirus XP 2008 on my machine. However my anti-virus software is reporting the following infections:-

found tracking cookie.
7search
Yieldmanager
Euroclick
Adrevolver
Advertising
Adviva
Atdmt
Serving-sys
Statcounter
Tradedoubler

It says these are potentially dangerous objects but does not tell me if it has deleted them or quarantineed them.
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

DrWeb Report

Unread postby saxon » September 3rd, 2008, 12:42 am

Although I have reposted the DrWeb report it seems no different than the previous report. When DrWeb completes the scan and then when I go to File and click on the option to save report it saves the report file as a .csv should I save it as a .txt in Notepad or is there any other format that I should be saving this report in ?
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Re: Hijack This Log file - Please advise next step ......

Unread postby silver » September 3rd, 2008, 1:20 am

Hi Saxon,

Don't worry about the Dr Web report, if it is actually complete that's fine.

It says these are potentially dangerous objects but does not tell me if it has deleted them or quarantineed them.
Cookies are not malware and what has been reported does not indicate an infection. Cookies will usually be created on your machine whenever you browse the web and can be very useful, however advertising cookies such as you listed in your post do not help you and can be a privacy risk - this is why your protection software removes them.

There is some straightforward information on cookies from Microsoft here:
http://www.microsoft.com/info/cookies.mspx
This article covers cookies in detail and explains some of the privacy concerns associated with them:
http://www.howstuffworks.com/cookie.htm/printable

Generally speaking they aren't anything to be overly concerned about, especially if you are regularly scanning with your anti-malware products. We will be installing a custom hosts file and this will block a great many cookies from being set, but if you have further concerns about cookies and wish to have more control over the cookies placed on your machine, let me know in your next response and I'll give you some further suggestions.

------------------------------------------------------------------------

Click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Press OK and Yes to confirm

------------------------------------------------------------------------

Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

------------------------------------------------------------------------

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

------------------------------------------------------------------------

Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, select Disabled
Click the Apply tab, then click OK

------------------------------------------------------------------------

Download the MVPS hosts file to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
Right-click hosts.zip, select Extract All... and follow the prompts to unzip the file into a new folder on your Desktop
Then, double-click mvps.bat to install.
A blue box should appear, and report "THE MVPS HOSTS FILE IS NOW UPDATED"
Press any key to close the box, and you can then delete hosts.zip and the new folder hosts
Also, I recommend you subscribe to the mailing list to get hosts file update notifications.

------------------------------------------------------------------------

Next, please visit Windows Update and install all Critical and Important updates.

------------------------------------------------------------------------

Once complete, please post a new HijackThis log and tell me if you had any difficulties with the instructions.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Virus Scan Report

Unread postby saxon » September 3rd, 2008, 2:12 am

Hi Silver,

This mornings scan revealed the following:

Infections

Trojan horse Downloader.Generic7.AKBB
Virus found Downloader.FraudLoad

Path

C:\Documents and Settings\User\Local Settings\Temp\a.exe
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}-\RP348\A0095453.exe
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}-\RP348\A0095454.exe

Should I clean this up before I create a new system restore point?
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Re: Hijack This Log file - Please advise next step ......

Unread postby saxon » September 3rd, 2008, 2:28 am

I have done a clean up with OTMoveIt2.exe and I can't see the "a.exe" in the path:

C:\Documents and Settings\User\Local Settings\Temp\a.exe

However when I tried to access the System Volume Information folder under the C: directory I received an "Access Denied" message and was unable to check for the .exe files which were reported in the virus scan this morning.

"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}-\RP348\A0095453.exe"

I have downloaded the latest updates from Microsoft. Infact the update installed the Windows XP SP3 which should be good.
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Re: Hijack This Log file - Please advise next step ......

Unread postby silver » September 3rd, 2008, 2:45 am

I have done a clean up with OTMoveIt2.exe and I can't see the "a.exe" in the path:
C:\Documents and Settings\User\Local Settings\Temp\a.exe
We'll check that it's gone as follows:

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
attrib -r -s -h "C:\Documents and Settings\User\Local Settings\Temp\a.exe" >> results.txt 2>>&1
del /q /a /f "C:\Documents and Settings\User\Local Settings\Temp\a.exe" >> results.txt 2>>&1
dir /a "C:\Documents and Settings\User\Local Settings\Temp\a.exe" >> results.txt 2>>&1
del 0%

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

However when I tried to access the System Volume Information folder under the C: directory I received an "Access Denied" message and was unable to check for the .exe files which were reported in the virus scan this morning.
This folder contains System Restore points, you don't need to manually remove anything from here, the procedure I posted above will clean this area.

I have downloaded the latest updates from Microsoft. Infact the update installed the Windows XP SP3 which should be good.
:thumbright:

Next, please continue with the remaining instructions and when complete, please post the results.txt output and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

DNS Service

Unread postby saxon » September 3rd, 2008, 4:38 pm

This service remains disabled. Do I need to enable this?
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm

Results and New Hijack this Log

Unread postby saxon » September 3rd, 2008, 4:43 pm

Hi Silver,

I have completed all the steps you had advised and am posting the results and a new hijack this log

Results.txt:

Path not found - C:\Documents and Settings\User\Local Settings\Temp
The system cannot find the path specified.
The system cannot find the path specified.

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:04, on 03/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6070111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6070111
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&c ... bd=6070111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d84bed694a4a408583fa81f8ac377258
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d84bed694a4a408583fa81f8ac377258
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://217.36.62.6/+CSCOL+/relayp.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {7BD55BC6-2C42-424F-9D02-E4DE70182D9C} (TelnetLauncher Control) - http://e-learning.nil.si/TelnetLauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-09c9dde21deb72e1.spaces.live ... nPUpld.cab
O16 - DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} (ActiveXATS.ActiveXDemo2) - http://cl-0063.web.uk.netscalibur.com/s ... veXATS.CAB
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB7 ... Upload.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10098 bytes
saxon
Regular Member
 
Posts: 40
Joined: June 24th, 2008, 4:54 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 456 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware