Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hi can anyone help heres my log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hi can anyone help heres my log

Unread postby Gman » July 27th, 2006, 4:24 pm

Machines hijacked reading up and its due to pmmon.exe i think?

Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 20:37:34, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\GARYRO~1.MER\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll (file missing)
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
O2 - BHO: (no name) - {85F6D407-98AE-B49C-3FB3-B7D329D7DDBE} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OnlineBows] C:\DOCUME~1\GARYRO~1.MER\APPLIC~1\DEFAUL~1\flagloud.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Shortcut to gla-engineer.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?8a5e16614bd7458184894e36912bc7a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?8a5e16614bd7458184894e36912bc7a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0793692296
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/v_my ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BF4DBB-A515-4763-B2E7-CAE67C1D8B21}: NameServer = 212.74.114.129 212.74.112.67
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Program Files\DIALux\DLXToolBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Gman
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm
Advertisement
Register to Remove

Unread postby bamajim » July 28th, 2006, 5:19 pm

Gman

Hello and welcome to MRU

I am currently looking at your log and will have a reply soon.
In the mean time

You are currently running Hijackthis from a Temp file.

Hijackthis creates backup's that we may need, which could be lost or deleted easily from a temp location

Please move Hijackthis.exe to it's own folder, It can be done by

    Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C:
    then right click and select New then Folder and name it HJT.


Then repost your log

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » July 29th, 2006, 11:42 am

OK thanks bamajim ive did that here is the repsosted log

Logfile of HijackThis v1.99.1
Scan saved at 16:41:27, on 29/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\GARYRO~1.MER\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll (file missing)
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
O2 - BHO: (no name) - {85F6D407-98AE-B49C-3FB3-B7D329D7DDBE} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OnlineBows] C:\DOCUME~1\GARYRO~1.MER\APPLIC~1\DEFAUL~1\flagloud.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Shortcut to gla-engineer.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?8a5e16614bd7458184894e36912bc7a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?8a5e16614bd7458184894e36912bc7a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0793692296
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/v_my ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BF4DBB-A515-4763-B2E7-CAE67C1D8B21}: NameServer = 80.225.255.185 80.225.255.177
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Program Files\DIALux\DLXToolBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » July 30th, 2006, 12:04 am

Gman

Sorry for the delay in my response

You still have Hijackthis in a temp location
C:\DOCUME~1\GARYRO~1.MER\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

Lets do it this way:

Download a self extracting version of hijackthis HERE

Double click on hijackthis.exe to extract hijackthis to folder c:\hijackthis.It will extract it to that folder and open the folder for you. It will also create a shortcut on your desktop to HijackThis. It will even self open in notepad.

After you do that

Re Run Hijackthis
    At the Main window select "Open the misc tool section"
    Then select "Open uninstall manager"
    Then "save list" and save it to your desktop

Copy and paste that list as a reply to this thread

Your reply should include
    your uninstall_list.txt
    a Fresh hijackthis log

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » July 30th, 2006, 7:59 am

Apologies there here is the log files as requested:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:19, on 30/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll (file missing)
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
O2 - BHO: (no name) - {85F6D407-98AE-B49C-3FB3-B7D329D7DDBE} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OnlineBows] C:\DOCUME~1\GARYRO~1.MER\APPLIC~1\DEFAUL~1\flagloud.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Shortcut to gla-engineer.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?8a5e16614bd7458184894e36912bc7a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?8a5e16614bd7458184894e36912bc7a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0793692296
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/v_my ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BF4DBB-A515-4763-B2E7-CAE67C1D8B21}: NameServer = 212.74.114.129 212.74.112.67
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Program Files\DIALux\DLXToolBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Acoustica Beatcraft
Acoustica Effects Pack
Ad-Aware SE Personal
Adobe Reader 7.0.8
Audacity 1.2.4
AutoCAD 2006 - English
Autodesk DWF Viewer
AVG Free Edition
AVS Audio Tools version 3.3
BitTorrent 4.20.2
Broadcom 802.11 Wireless LAN Adapter
BulletProof FTP
CalcuLuX Area 6.4.1
CCleaner (remove only)
Collab
Conexant AC-Link Audio
Connect 16th Edition v21
Crystal Reports v9 components by Hevacomp Ltd
DIALux 4.1
DivX
DWG TrueView
Easy Internet Sign-up
Electrical Designer v21
Google Video Player
Guitar Pro 4
Hevacomp on-line manuals v21
Hevacomp Project Explorer v21
HijackThis 1.99.1
HP Help and Support
HP Software Update
HP User Guides 0001
HP Wireless Assistant
Intel(R) Graphics Media Accelerator Driver for Mobile
Internet Explorer Security Plugin 2006
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0
Learn2 Player (Uninstall Only)
LimeWire PRO 4.9.37
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AutoRoute 2005
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Money
Microsoft Office Outlook 2003
Microsoft Office Professional Edition 2003
Microsoft Photo Premium 10
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
mkw Audio Compression Toolkit
MSN Messenger 7.5
MSN Search Toolbar
Nero - Burning Rom
Nimbus Lighting v21
One-click Audio Converter Uninstall
Philips Product Selector plug-in for DIALux 2.4
Public Messenger ver 2.03
Quick Launch Buttons 5.10 B2
QuickTime
Raptor Audio 1.6
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spark Audio Converter (Remove only)
SpeedTouch USB Software
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TrojanHunter 4.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Media Player
WebEx
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

thanks
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » July 30th, 2006, 12:43 pm

Gman

Welcome back

First Please go here

And Download SmitFraudFix by S!ri

Rt click and Extract all the archive content to your desktop
• Open the Smitfraud folder
o Double-click smitfraudfix.cmd
o Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread


Do Not run option 2 until instructed to do so


thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » July 30th, 2006, 1:15 pm

report below bamajim

SmitFraudFix v2.76

Scan done at 18:14:22.23, 30/07/2006
Run from C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\Smitfraud
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gary Rodger.MERCURY\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GARYRO~1.MER\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\IntCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » July 30th, 2006, 8:32 pm

Gman

Reboot into Safe Mode
This can be done by
    Restart your PC, and after it starts, but before you see the Windows Splash screen
    Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
    Use your arrow keys and select Safe Mode and then Enter
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Once complete reboot your PC into Normal mode, re run Hijackthis and post a fresh log

your reply should include
    rapport.txt
    a fresh Hijackthis log

Thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » July 31st, 2006, 1:34 pm

Logfile of HijackThis v1.99.1
Scan saved at 18:33:32, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-gb\msn_sl.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
O2 - BHO: (no name) - {85F6D407-98AE-B49C-3FB3-B7D329D7DDBE} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OnlineBows] C:\DOCUME~1\GARYRO~1.MER\APPLIC~1\DEFAUL~1\flagloud.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Shortcut to gla-engineer.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?8a5e16614bd7458184894e36912bc7a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?8a5e16614bd7458184894e36912bc7a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0793692296
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/v_my ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BF4DBB-A515-4763-B2E7-CAE67C1D8B21}: NameServer = 80.225.255.185 80.225.255.177
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Program Files\DIALux\DLXToolBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


and


SmitFraudFix v2.76

Scan done at 18:26:32.42, 31/07/2006
Run from C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\Smitfraud
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Security Troubleshooting.url Deleted
C:\Program Files\IntCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » July 31st, 2006, 7:48 pm

Gman

Welcome back

Please print out these instructions for reference, as this part will require a reboot

Go here and Download Ewido Antimalware 4.0
(30 day free trial version) Save it to Your Desktop

Double Click Ewido-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
    Under "Your computers Security"
    Click change status on Resident shield to inactive
    Click Update now (next to last update)
    After the update loads
    Under Automatic updates Uncheck download and install updates automatically(recommended)
    (you can always select maual updates the next day)
At the top toolbar Click Scanner Then the settings tab
    Under How to act? Set default action for detected malwareTo Quarantine
    Under how to scan All boxes should be checked
    Under Possibly unwanted software All boxes should be checked
    Under reports Select Automatically generate report after every scan
    Uncheck Only if threats were found
    Under what to scan Scan every file should be highlited
Exit Ewido(Do not run it yet)

Next We need to make sure we can see hidden files and folders
    Click Start.
    Click My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Uncheck the Hide file extensions for known file types.
    Click OK.

Next Re run Hijackthis (scan only)
Place checks beside the following entries
    O2 - BHO: (no name) - {85F6D407-98AE-B49C-3FB3-B7D329D7DDBE} - (no file)
    O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll (file missing)
    O4 - HKCU\..\Run: [OnlineBows] C:\DOCUME~1\GARYRO~1.MER\APPLIC~1\DEFAUL~1\flagloud.exe
close all other open windows except Hijackthis and select "Fix checked"
If prompted to reboot your PC select No and close Hijackthis

Next Using Windows Search (Start->>Search)
Locate and delete the following file
    flagloud.exe
Close Search

Next Reboot your PC into Safe Mode
    This can be done by restarting your PC
    Then after it starts, but before you see the Windows splash screen,
    Tap the F8 key twice a second until you arrive at another menu screen
    Use your arrow keys->>Select Safe Mode->>Enter
Run Ewido
    Click scanner
    Select Complete system scan
Once the scan finishes
    Select Apply all actions (The items found will be quarantined)
    Click save report as (Another window will open)
    Save it to your desktop
    (By default It will be saved in the Ewido folder as)
    C:\Program Files\ewido anti-spyware 4.0\Reports
Exit Ewido

Reboot your PC in Normal Mode

    Double click the report-scan txt. you saved to your desktop
    It will open in Notepad
    Copy and paste that report as a reply to this thread
Do not run any other options untill instructed to do so

Next Re Run Hijackthis and post a fresh Hijackthis log

Your reply should include your
    Your Ewido report_scan.txt log
    A fresh Hijackthis log

Thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » August 1st, 2006, 3:30 pm

+ Created at: 19:38:59 01/08/2006

+ Scan result:



C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\TUNES\Incomplete\T-535082-(Edit LDT ) The Roots.zip/Video.exe -> Dropper.WinAD.h : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@premiumtv.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@bfast[2].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@e-2dj6wjkyuoajccq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@ehg-bskyb.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@valueclick[1].txt -> TrackingCookie.Valueclick : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@valueclick[2].txt -> TrackingCookie.Valueclick : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@programs.wegcash[2].txt -> TrackingCookie.Wegcash : No action taken.
C:\Documents and Settings\Gary Rodger\Cookies\gary rodger@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\gary rodger@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Gary Rodger\Local Settings\Temporary Internet Files\Content.IE5\JZPZNX0W\hosts[1].txt -> Trojan.Qhost.dx : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 19:44:00, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-gb\msn_sl.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Shortcut to gla-engineer.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?8a5e16614bd7458184894e36912bc7a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?8a5e16614bd7458184894e36912bc7a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0793692296
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/v_my ... eatgpc.cab
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Program Files\DIALux\DLXToolBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

thanks
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » August 1st, 2006, 10:45 pm

Gman

Thanks for the reports

First Download CCleaner from here to clean temp files from your computer.
    Double click on the file to start the installation of the program.
    Select your language and click OK, then next.
    Read the license agreement and click I Agree.
    Click next to use the default install location. Click Install then finish to complete installation

Double click the CCleaner shortcut on the desktop to start the program.
    On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
    If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
    Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
    Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program

Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
    After CCleaner has completed its process, click Exit
Next Using Windows Explorer
Locate and delete the following file
    C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\TUNES\Incomplete\T-535082 <<-This is what caused the infection->>
Close Windows Explorer

Next Open Ewido select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then
select ""Delete".".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close Ewido

Next Reboot into Safe mode

Run Ewido (We are going to change some settings)
    Click scanner
    Select Complete system scan
Once the scan finishes
    Select Apply all actions (The items found will be quarantined)
    Click save report as (Another window will open)
    Save it to your desktop
    (By default It will be saved in the Ewido folder as)
    C:\Program Files\ewido anti-spyware 4.0\Reports
Exit Ewido

Reboot your PC in Normal Mode
    Double click the report-scan txt. you saved to your desktop
    It will open in Notepad
    Save that report for the time being
Run an online virus scan called Kapersky from HERE.
    1. Click on "Kapersky Online Scanner"
    2. A new smaller window will pop up. Press on "Accept". After reading the contents.
    3. Now Kapersky will update the anti-virus database. Let it run.
    4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    5. Then click on "My Computer". And the scan will start.
    6. Once finished, save a log as ".txt" to the desktop.

Copy and post the results of the Kapersky Online scan

Also in your reply give me an update on how your PC is running

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby Gman » August 2nd, 2006, 5:14 pm

Hi there Bamajim my machine has stopped the pop ups and exclamation window in my task bar running oK so thanks,

Here is the Kapersky log

Gman


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 02, 2006 10:09:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/08/2006
Kaspersky Anti-Virus database records: 211688
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 95672
Number of viruses found: 10
Number of infected objects: 25 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:23:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1a0b22b1ea10cef8bdab62248b51e94f_87ff7bad-db4f-492b-a8c8-eccd94925bdc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\body each long license\rulehole.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\BitTorrent\bittorrent.log Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn\ewrfxgat.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn\flagloud.exe Infected: Trojan-Downloader.Win32.Swizzor.fh skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn\fuhswwnk.exe Infected: Trojan-Downloader.Win32.Swizzor.dv skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn\setupsoftamen.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn\xzakypeq.exe Infected: Trojan-Downloader.Win32.Swizzor.eu skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\Gazzas Stuff\Temp Downloads\netpumper-1.25-setup.exe/data0079 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\Gazzas Stuff\Temp Downloads\netpumper-1.25-setup.exe Inno: infected - 1 skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.112.Crwl Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.112.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010001.ci Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy637.gthr Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSStmp.log Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_864.dat Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gary Rodger.MERCURY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI/Cabs.w1.cab/loadadv458.exe Infected: Trojan-Downloader.Win32.Agent.xq skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI/Cabs.w1.cab Infected: Trojan-Downloader.Win32.Agent.xq skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI Embedded: infected - 2 skipped
C:\Program Files\NetPumper\ZM\NP_0001_1.exe Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{059647FF-6405-4600-8D83-CD74A1755F81}\RP48\A0002214.msi/Cabs.w1.cab/loadadv458.exe Infected: Trojan-Downloader.Win32.Agent.xq skipped
C:\System Volume Information\_restore{059647FF-6405-4600-8D83-CD74A1755F81}\RP48\A0002214.msi/Cabs.w1.cab Infected: Trojan-Downloader.Win32.Agent.xq skipped
C:\System Volume Information\_restore{059647FF-6405-4600-8D83-CD74A1755F81}\RP48\A0002214.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP297\A0033493.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033534.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033551.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033557.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033603.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033641.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033672.dll Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP298\A0033690.exe Infected: Trojan-Downloader.Win32.Zlob.yt skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP300\A0033837.dll Infected: not-virus:Hoax.Win32.Renos.ea skipped
C:\System Volume Information\_restore{06BE1E33-9F78-43AA-A8F1-D2816D7FB083}\RP302\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx.d skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8AE7F2A2-E3ED-47CC-9CF6-5984D5C648B6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Gman
Active Member
 
Posts: 7
Joined: July 27th, 2006, 4:18 pm

Unread postby bamajim » August 3rd, 2006, 11:12 am

Gman

Glad to hear it. We still have a few things to clean up

First Go to Add/remove programs
And Uninstall the following program
    WebEx
Next Using Windows Explorer
Locate and delete the following folders
    C:\Documents and Settings\Gary Rodger.MERCURY\Desktop\Gazzas Stuff\Temp Downloads\netpumper
    C:\Program Files\NetPumper
    C:\Documents and Settings\Gary Rodger.MERCURY\Application Data\DefaultCoolWarn
    C:\Documents and Settings\All Users.WINDOWS\Application Data\body each long license
Locate and delete the following file
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI

Exit Search->> Reboot your PC->> Rerun Hijackthis and post one more fresh log please

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby 'KotaGuy » August 15th, 2006, 6:24 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 265 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware