Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

3 unhealable viruses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

3 unhealable viruses

Unread postby wonderwill » July 1st, 2006, 9:12 am

Hi

My daughter is a regular user of MSN and I have discovered 3 unhealable viruses after using AVG free. I also have zonealarm installed in this home network.

I am attaching a hijack log as I have been here before!

Logfile of HijackThis v1.99.1
Scan saved at 14:11:33, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Unknown owner - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Advertisement
Register to Remove

Unread postby Kimberly » July 1st, 2006, 11:36 am

Hello wonderwill,

Nothing is showing up in the Hijackthis log, any chance you remember which files were found by AVG ? I suppose AVG quarantines them, so you might be able to find back traces of them. Can you check please ?

I see she's still a fan of Messenger Plus! too in despite of all your warnings. ;)

Let's try to get a better overview first. :)

Run HijackThis, click on Open the Misc Tools Section, put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/paste the content in your reply.
Click Back and Click on Scan.

Rootkit revealer leftover :

Put a check in the box on the left side of the following items if still present:

O23 - Service: OJDGKR - Unknown owner - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked

______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » July 1st, 2006, 1:54 pm

StartupList report, 01/07/2006, 18:52:42
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner.HOMESOPHIE\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
NETGEAR WG111T Smart Wizard.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
WinPatrol = C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=MsgPlusLoader.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll - {49E0E0F0-5C30-11D4-945D-000000000003}
(no name) - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/ka ... nicode.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... p43dmo.CAB

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 5357196000

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftup ... 7818920249

[Seekford Solutions, Inc.'s ssiPictureUploader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SSIPIC~1.OCX
CODEBASE = http://img.funtigo.com/images/uploader/ ... loader.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMe ... loader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
EpsonBidirectionalService: C:\Program Files\EPSON\ESM2\eEBSVC.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.10: System32\DRIVERS\mdc8021x.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
Hi Kimberly - here is the start up Hijack list first of all
--------------------------------------------------
End of report, 13,369 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » July 1st, 2006, 1:57 pm

Hijack log

I cannot remember how to do a continuation to get all the info you request running continuously??

Logfile of HijackThis v1.99.1
Scan saved at 18:55:56, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Unknown owner - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » July 1st, 2006, 2:15 pm

Kimberly

Currently doing a Kaspersky scan which I will post.

I also have managed to save the list of Viruses and where they are from the AVG scanner. I have saved these in an Excel file but do not know how to post them to you.

W
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » July 1st, 2006, 2:37 pm

Ok, awaiting for KAV scan.

If the Excel file is not too big, save it as a text file. You can do that from within Excel, choose another format while saving. Post content here. If too big lemme know and I'll PM you an email addy where you can send it. :)
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » July 1st, 2006, 3:49 pm

Kimberly

The kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 01, 2006 8:48:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/07/2006
Kaspersky Anti-Virus database records: 204050
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50459
Number of viruses found: 6
Number of infected objects: 14 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:08:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0PUBG5YF\lasse[1].0tm Infected: Trojan-Clicker.HTML.IFrame.g skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookiesnew.txt Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\rlfli7jk.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\1874.del Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\DRIVE SIZE DOWNLOAD.0XE Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\LIVEBASETIMELIES.0XE Infected: Trojan-Downloader.Win32.Swizzor.eu skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\UZPBOFLH.0XE Infected: Trojan-Downloader.Win32.Swizzor.eu skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\History\History.IE5\MSHist012006070120060702\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\bis3D.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\bisFB.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\~DF2BBF.tmp Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\~DF9103.tmp Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner.HOMESOPHIE\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG Free\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG Free\avg7log.log.lck Object is locked skipped
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP4\A0003384.ini Infected: not-a-virus:AdWare.Win32.Sahat.am skipped
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP28\A0004016.0XE Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP28\A0004017.0XE Infected: Trojan-Downloader.Win32.Swizzor.eu skipped
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP28\A0004018.0XE Infected: Trojan-Downloader.Win32.Swizzor.eu skipped
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\HOMESOPHIE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT023cf.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT065f3.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » July 1st, 2006, 3:52 pm

Kimberly

The AVG log in text format:

Virus identified I-Worm/Bagle.LZ C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP26\A0003857.0XE 30/06/2006 13:47 A0003857.0XE 17.77 MB
Virus identified I-Worm/Bagle.MC C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP26\A0003858.0XE 30/06/2006 13:47 A0003858.0XE 42.99 KB
Virus identified I-Worm/Bagle.MC C:\WINDOWS\system32\hldrrr.0xe 30/06/2006 13:47 hldrrr.0xe 42.99 KB
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » July 3rd, 2006, 12:33 am

Hello wonderwill,

The virus isn't present anymore but we need to clean up the Internet temp files.

Download the Killbox by Option^Explicit to your Desktop or to your usual Download Folder.
http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop or a convenient folder.

Close all Internet Windows, Double-click Killbox.exe to run it.
Click on Tools > Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then click on the Button titled "Delete Selected Temp Files". Do the next profile until you have cleaned all the profiles in the list. Exit by clicking the Button titled "Exit(Save Settings)".
______________________________

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.

AVG scan should come up clean now. :)

She has the LOP infection running again due to Messenger Plus!, do you want to fix it ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » July 6th, 2006, 3:55 pm

Kim

Thanks very much for this. All are gone at the AVG scan.

I really do not know how if I can face the LOP removal. Just exactly what harm does it do? I very much appreciate your offer and your help to date.

W
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » July 7th, 2006, 12:52 am

Hello wonderwill,

Nice to hear that the viruses are gone and that AVG shows clean. :)

A few articles on LOP and what it does.

http://inetexplorer.mvps.org/answers/43.html
http://www.spywareinfo.com/articles/lop/
http://en.wikipedia.org/wiki/C2.LOP

It's really up to you but if it were me, I would remove it. Don't try to remove it yourself, let me know and I will give you instructions.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » July 8th, 2006, 4:58 am

Kim

My daughter is on holiday this week so probably a good idea if I do tackle LOP this week.

I take it the only way to stop this in the future is to prevent her accessing Messanger plus?

W
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » July 8th, 2006, 11:46 am

Hello wonderwill,

Ok, we can fix that this week. :)

Yes, indeed preventing her from using Messenger Plus would be a good idea. It is possible to install it without the sponsor software, but you have to read through the install procedure very very carefully. First step is removal anyways. :)

We need to see if it has scheduled jobs running, so run the batch below just before you want to start the cleanup and post the results back here. :)

Download Findlop to your Desktop
http://metallica.geekstogo.com/findlop.zip

Create a folder for Findlop on the C: drive called C:\lop. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it lop. Extract all the files from the zip archive into that folder.

Open the lop folder and doubleclick findlop.bat and it will create the file C:\findlop.txt
Copy the content into your next post.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » July 9th, 2006, 9:48 am

Kim

Not sure if this worked, it seemed to do very little:


[TRACE] Enumerating jobs and queues

W
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » July 12th, 2006, 11:03 am

Hello

I'm sorry for the delayed reply, I completely overlooked your post. :oops:

Findlop did his job, no worries. It just means that you don't have any active tasks running.

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

Messenger Plus 3!
LOP or LOP.com


During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O20 - AppInit_DLLs: MsgPlusLoader.dll

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\program files\Messenger Plus 3
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball
______________________________

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Please let me know how everything went.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware