Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware/Spyware/Adware issues [CLOSED]

Started by Epyon700 , Aug 06 2007 11:13 AM

  • This topic is locked This topic is locked

#16
MoNsTeReNeRgY22
Posted 12 August 2007 - 05:38 PM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hey Epyon700,

1)Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

C:\Program Files\Internet Explorer\wolyzim22011.exe

Click on the submit button

Please post the results in your next reply.

2)Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

3)Please re-open Hijackthis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [{9B-B3-30-0A-ZN}] C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [wolyzim] C:\Program Files\Internet Explorer\wolyzim22011.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\YMANTE~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Abqrimo] "C:\Documents and Settings\Jonathan Jones\My Documents\??stem32\j?vaw.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Jonathan Jones\Local Settings\Temp\thinksnet.exe

Now close all windows other than Hijackthis, then click Fix Checked. Close Hijackthis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Web Buying

Please note any other programs that you dont recognize in that list in your next response

4)Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

5)Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\Jonathan Jones\My Documents\??stem32

6)Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Web Buying
    C:\DOCUME~1\JONATH~1\LOCALS~1\Temp
    C:\PROGRA~1\YMANTE~1
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\SYSTEM32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
    C:\WINDOWS\SYSTEM32\DVCState-{00000004-00000000-00000001-00001102-00000004-20061102}.dat

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

7)Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum along with a fresh HJT Log. Reboot into Normal Mode.

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

8)Please post the following in your next reply
  • Jotti Log
  • OTMoveIt Log
  • BlackLight Log
  • Fresh HJT Log
  • Update on how things are running

  • 0

Advertisements

#17
Epyon700
Posted 26 August 2007 - 05:45 PM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello!!!

Scan taken on 26 Aug 2007 23:13:49 (GMT)
A-Squared
Found Adware.Win32.TTC.c
AntiVir
Found TR/Dldr.AW.awk
ArcaVir
Found Trojan.Agent.Virut.Ttx
Avast
Found nothing
AVG Antivirus
Found Generic2.JSI
BitDefender
Found Adware.TTC.B
ClamAV
Found Adware.TTC-1
CPsecure
Found nothing
Dr.Web
Found Adware.Ttc
F-Prot Antivirus
Found W32/Downldr2.AQJZ
F-Secure Anti-Virus
Found not-a-virus:AdWare.Win32.TTC.c (4, 1, 400)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.TTC.c
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.DL.Win32.Agent.lq
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.TTC.c

File/Folder C:\Program Files\Web Buying not found.
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\VBE moved successfully.
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\plugtmp moved successfully.
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp moved successfully.
File/Folder C:\PROGRA~1\YMANTE~1 not found.
File/Folder C:\WINDOWS\tk58.exe not found.
C:\WINDOWS\SYSTEM32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-20061102}.dat moved successfully.
C:\WINDOWS\SYSTEM32\DVCState-{00000004-00000000-00000001-00001102-00000004-20061102}.dat moved successfully.

Created on 08/26/2007 19:30:47

08/26/07 19:33:04 [Info]: BlackLight Engine 1.0.64 initialized
08/26/07 19:33:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/26/07 19:33:04 [Note]: 7019 4
08/26/07 19:33:04 [Note]: 7005 0
08/26/07 19:33:10 [Note]: 7006 0
08/26/07 19:33:10 [Note]: 7011 1832
08/26/07 19:33:10 [Note]: 7026 0
08/26/07 19:33:10 [Note]: 7026 0
08/26/07 19:33:21 [Note]: FSRAW library version 1.7.1022
08/26/07 19:40:58 [Note]: 2000 1012
08/26/07 19:41:36 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 7:43:52 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Documents and Settings\Jonathan Jones\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.live.com/?mkt=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\goncnreo.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Things seem to be running sort of the same. The fsbl didn't find anything. When you see black outlines on desktop icons I keep thinking something is still wrong and part of all this.
  • 0

#18
MoNsTeReNeRgY22
Posted 27 August 2007 - 06:58 PM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello again,

1)Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\goncnreo.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

2)Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
  • Select "Add More Files?" from the menu that comes up.
  • This will open a new VundoFix window that says "Paste files into the boxes below:"
  • In that window, copy and paste the following file path in the first (top) field:
    C:\WINDOWS\system32\goncnreo.dll
  • Now copy and paste the following file path in the second field:
    C:\WINDOWS\system32\vtstr.dll
  • Click the 'Add Files' button.
  • Click the 'Close Window' button.
  • Click the 'Remove Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

3)Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply along with the VF Log and a fresh HJT Log.
  • Click Close to exit the program.

  • 0

#19
Epyon700
Posted 30 August 2007 - 03:34 AM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sorry took some long! Time makes fools of us all... HA HA..

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/28/2007 at 02:40 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 02:30:53

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 7448
Registry threats detected : 22
File items scanned : 142177
File threats detected : 87

Adware.Mirar/NetNucleus
HKU\S-1-5-21-1690948688-2764643839-1794254164-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https

Adware.Tracking Cookie
C:\Documents and Settings\Jonathan Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Jonathan Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@adecn[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@adecn[3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@apmebf[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@atwola[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@bizrate[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@crossmediaservices[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@crossmediaservices[3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@directtrack[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@exitexchange[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@imrworldwide[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@imrworldwide[3].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@indextools[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@lynxtrack[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@mediatraffic[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@nextag[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@partner2profit[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@partner2profit[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@precisionclick[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@redorbit[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@roiservice[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@screensavers[1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][4].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][5].txt
C:\Documents and Settings\Patrica Jones\Cookies\patrica_jones@spamblockerutility[2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][3].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][4].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][5].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][6].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][7].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][1].txt
C:\Documents and Settings\Patrica Jones\Cookies\[email protected][2].txt

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Trojan.Downloader-IBM/Shell
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC00#DeviceDesc

Adware.Web Buying
HKU\S-1-5-21-1690948688-2764643839-1794254164-1007\Software\WebBuying

Adware.k8l
C:\PROGRAM FILES\MSN GAMING ZONE\FSOXYR.HTML
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\FSOXYR.HTML.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.1\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.1\WEBBUYING.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0036279.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0036280.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0040797.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0040798.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0041974.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP159\A0044270.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0045367.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0045368.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP169\A0045612.DLL



VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:13:37 AM 8/8/2007

Listing files found while scanning....

C:\windows\system32\awttrsr.dll
C:\windows\system32\cqdrygkh.dll
C:\windows\system32\hkgyrdqc.ini
C:\WINDOWS\system32\kqpxtsnh.dll
C:\windows\system32\mxmlmldx.dll
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\windows\system32\sixjbefh.exe
C:\WINDOWS\system32\ssqrr.dll
C:\windows\system32\vturqoo.dll
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\wojeroxx.dll
C:\windows\system32\xdlmlmxm.ini
C:\windows\system32\xxyvvwx.dll
C:\windows\system32\yayvvvv.dll

Beginning removal...

Attempting to delete C:\windows\system32\awttrsr.dll
C:\windows\system32\awttrsr.dll Could not be deleted.

Attempting to delete C:\windows\system32\cqdrygkh.dll
C:\windows\system32\cqdrygkh.dll Has been deleted!

Attempting to delete C:\windows\system32\hkgyrdqc.ini
C:\windows\system32\hkgyrdqc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqpxtsnh.dll
C:\WINDOWS\system32\kqpxtsnh.dll Has been deleted!

Attempting to delete C:\windows\system32\mxmlmldx.dll
C:\windows\system32\mxmlmldx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.ini2 Has been deleted!

Attempting to delete C:\windows\system32\sixjbefh.exe
C:\windows\system32\sixjbefh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.dll Has been deleted!

Attempting to delete C:\windows\system32\vturqoo.dll
C:\windows\system32\vturqoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wojeroxx.dll
C:\WINDOWS\system32\wojeroxx.dll Has been deleted!

Attempting to delete C:\windows\system32\xdlmlmxm.ini
C:\windows\system32\xdlmlmxm.ini Has been deleted!

Attempting to delete C:\windows\system32\xxyvvwx.dll
C:\windows\system32\xxyvvwx.dll Has been deleted!

Attempting to delete C:\windows\system32\yayvvvv.dll
C:\windows\system32\yayvvvv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\awttrsr.dll
C:\windows\system32\awttrsr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:30:00 AM 8/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\acbeg.bak2
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\awtsqnk.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\acbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\acbeg.bak2
C:\WINDOWS\system32\acbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtsqnk.dll
C:\WINDOWS\system32\awtsqnk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebca.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtsqnk.dll
C:\WINDOWS\system32\awtsqnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebca.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:04:30 AM 8/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:26:35 AM 8/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:28:36 AM 8/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:51:34 PM 8/27/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:55:25 PM 8/27/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\goncnreo.dll
C:\WINDOWS\system32\goncnreo.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#20
Epyon700
Posted 30 August 2007 - 03:35 AM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:35:01 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Documents and Settings\Jonathan Jones\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.live.com/?mkt=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\goncnreo.dll (file missing)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#21
MoNsTeReNeRgY22
Posted 30 August 2007 - 09:10 AM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Good morning Epyon700,

Step 1
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\goncnreo.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Step 3
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, uninstall list, and a fresh DSS log in your next reply.

  • 0

#22
Epyon700
Posted 31 August 2007 - 02:15 AM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello dude!!!
I couldn't do the panda thing in firefox due to it not being conpatable with it or IE because the scan button wouldn't work. Almost like it was a picture. The two things you wanted me to get rid of in HiJackthis weren't there but I have the two logs you wanted.

Logfile of HijackThis v1.99.1
Scan saved at 4:06:53 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jonathan Jones\Desktop\Screenshots\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.live.com/?mkt=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Sansa Media Converter
Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 6.0.1
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
AGEIA PhysX v7.07.09
AVG Anti-Spyware 7.5
Azureus
Best Buy Digital Music Store
Best Buy Rhapsody
Broadcom Advanced Control Suite 2
Canon MP Navigator 2.2
Canon MP530
Canon MP530 User Registration
Canon Utilities Easy-PhotoPrint
CDisplay 1.8
Codec Pack - All In 1 6.0.3.0
Comcast Rhapsody
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Download Accelerator Plus (DAP)
Easy-WebPrint
FinePixViewer Ver.4.2
Fraps (remove only)
Free Mp3 Wma Converter V 1.5.6
FUJIFILM USB Driver
Google Toolbar for Firefox
GTK+ Runtime 2.6.9 rev a (remove only)
HijackThis 1.99.1
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ICQ6
Intel Application Accelerator
Intel® 537EP V9x DF PCI Modem
Internet Explorer Default Page
iriver Music Manager
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Learn2 Player (Uninstall Only)
Malwarebytes' RogueRemover 1.21
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo Premium 9
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Protection Service
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets and Trips 2004
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Express Edition - ENU Service Pack 1 (KB926748)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU Service Pack 1 (KB926751)
Microsoft Windows Live OneCare Resources v1.6.2111.30
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v1.6.2111.30
Microsoft Windows OneCare Live v1.6.2111.30 Idcrl Install
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MicroStaff WINASPI
Modem Event Monitor
Mozilla Firefox (2.0.0.5)
Mozilla Firefox (2.0.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
MUSICMATCH® Jukebox
Nero - Burning Rom
NVIDIA Drivers
OpenAL
overland
PDF Settings
PowerDVD 5.3
Presto! PageManager 7.15.14
PX Engine
Qualxserve Service Agreement
QuickTime
RealPlayer
Rhapsody Player Engine
ScanSoft OmniPage SE 4.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Shockwave
Sound Blaster Audigy 2 ZS
SUPERAntiSpyware Free Edition
System Requirements Lab
Tom Clancy's Splinter Cell Chaos Theory
TuneUp Utilities 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
Virtual Earth 3D (Beta)
Visual Web Developer 2005 Express Edition Feature Tour
Watchtower Library 2005 - English Edition
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Messenger
  • 0

#23
MoNsTeReNeRgY22
Posted 31 August 2007 - 08:36 AM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello,

Step 1
I see you have Azureus installed on your system.
While the program itself is legal, most of the files downloaded with it are not.
Also, quite often the files can be infected with viruses, malware, and other undesirable applications.
I highly recommend uninstalling Azureus via Add or Remove Programs, but this program is optional for you if you choose to want to keep it.
See HERE for details on P2P file sharing programs.

Step 2
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java 2 Runtime Environment, SE v1.4.2_03

Step 3
Since Panda wouldn't work, lets try a different scan.
TrendMicro HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

  • 0

#24
Epyon700
Posted 03 September 2007 - 01:16 PM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I like your help a lot but everything we do I still am using too much ram. So I'm asking you as a friend!!! Anyway to do this once and for all?
  • 0

#25
MoNsTeReNeRgY22
Posted 03 September 2007 - 09:19 PM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
I don't quite understand what you exactly mean. Do you mean we are taking up too much room on your hard drive, or we are using too much of your system resources(RAM)?
  • 0

Advertisements

#26
Epyon700
Posted 04 September 2007 - 03:26 AM

Epyon700

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Too much system resources. Should windows onecare be using up 400MB? Along with firefox and it using up to 150k?
  • 0

#27
MoNsTeReNeRgY22
Posted 04 September 2007 - 08:49 PM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
I honestly don't know that much about Windows Live OneCare, but I do know most AV and AS programs can be resource hogs and take up a lot of memory. As for FireFox, that is quite normal. But if you would like to free up some, lets do he following. It will kill all but the most important processes on your system. After that you may run the online scan from above.

Download ComboFix from Here or Here to your Desktop.
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

  • Click OK and this will start ComboFix in a special way.
  • You will temporarily lose your desktop while the scan is running. Once the scan is done, your desktop will return to normal.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

You may now connect to the internet, once you are reconnected, please post the CF log and run the scan from above. Also post a new HJT log please.
  • 0

#28
MoNsTeReNeRgY22
Posted 09 September 2007 - 11:59 AM

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP