Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware Removal

Started by gmmartin , Mar 08 2006 10:48 PM

  • Please log in to reply

#1
gmmartin
Posted 08 March 2006 - 10:48 PM

gmmartin

    New Member

  • Member
  • Pip
  • 7 posts
I completed all the steps in the malware removal instructions. Attached are my logs. Right now I can't access the internet on my computer. I'm typing this from a different one.
Please let me know what I need to do next.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:57:00 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Content Filter\TheApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark P. Carter\Local Settings\Temporary Internet Files\Content.IE5\QZA3ULMF\titan6shuk[1].exe
C:\DOCUME~1\MARKP~1.CAR\LOCALS~1\Temp\WZSE0.TMP\install.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\DOCUME~1\MARKP~1.CAR\LOCALS~1\Temp\WZSE0.TMP\SETUP.EXE
C:\DOCUME~1\MARKP~1.CAR\LOCALS~1\Temp\WZSE0.TMP\SETUP.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PPFW.exe
C:\Documents and Settings\Mark P. Carter\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....B_PVER}&ar=home
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\TheApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Free DVD Direct] C:\Program Files\Free DVD Direct\Free DVD Direct\FreeDVDDirect.exe /hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'icf.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = med-web.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = med-web.com
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - c:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Mark P. Carter\Favorites\Technology
Adware:adware/spyfalcon Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@belnk[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@ccbill[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@go[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@toplist[1].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p[13].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p[21].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@belnk[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@ccbill[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@go[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@toplist[1].txt
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p[13].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mark P. Carter\Cookies\mark p[21].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark P. Carter\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark P. Carter\Desktop\smitRem.exe[Process.exe]


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:08:27 PM, 3/8/2006
+ Report-Checksum: DA203C4E

+ Scan result:

HKU\S-1-5-21-1520780970-885471098-231371515-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
[1264] C:\WINNT\system32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. carter@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Belstat : Cleaned with backup
C:\Documents and Settings\Mark P. Carter\Cookies\mark p. [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\WINNT\SYSTEM32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bs : Cleaned with backup


::Report End
  • 0

Advertisements

#2
rstones12
Posted 08 March 2006 - 11:53 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
gmmartin,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.

Please do not try to fix anything on your own, it will only make it harder to get you a resolution.
If you don't understand something, please ask before performing any task..


OK, lets move on:

You will need to download and burn/copy these files either to a CD, USB Device or even a floppy disk, then transfer them over to the infected machine.

Please download ATF Cleaner by Atribune and save that file and transfer it to the media of your choice. You will then have to transfer this to the infected machine.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

After running the ATF Cleaner, please do the following:
  • Please download LSPFix from here.
  • With the same method of copying it to the media of choice, then transfering it to the infected machine.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • DO NOT move any files to the "Remove" box.
  • When you are done click Finish>>.
Reboot your system and see if you are able to access the Internet, if you can post a new HijackThis log from that system by using Add Reply.

Thanks,
rstones12
  • 0

#3
gmmartin
Posted 09 March 2006 - 02:22 PM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
After doing the ATF Cleaner and the LSPFIX I rebooted the computer and still cannot connect to the internet. I noticed the IE Browser is trying to connect to 72.14.203.99 rather than my default of Google. I've tried not to let it search too long since I'm not sure what that IP is.

Here is the HJT log I just ran:

Logfile of HijackThis v1.99.1
Scan saved at 3:13:21 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Internet Content Filter\TheApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINNT\system32\wdfmgr.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Mark P. Carter\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....B_PVER}&ar=home
R3 - Default URLSearchHook is missing
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\TheApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Free DVD Direct] C:\Program Files\Free DVD Direct\Free DVD Direct\FreeDVDDirect.exe /hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = med-web.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = med-web.com
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - c:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#4
rstones12
Posted 10 March 2006 - 12:39 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
gmmartin,

How does that system connect to the Internet, dial up or broadband (dsl/cable).

For this entry:

72.14.203.99

It is Google..

http://www.dnsstuff.com/tools/whois.ch?ip=72.14.203.99

This shouldn't be stopping you from connecting to the Internet, but please follow these instructions below. You will have to follow the same procedure as before and transfer this over to the infected system.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
We will work on getting you connected next.

Thanks,
rstones12
  • 0

#5
gmmartin
Posted 10 March 2006 - 09:47 AM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
My system connects via a wireless home network and a cable (broadband) modem. The funny thing is that my desktop can communicate over the network with the files on the laptop (the one with the problem) and vice versa. I can also send and receive email through Outlook on the laptop but simply cannot access the internet through Internet Explorer.


VundoFix V4.2.30
Scan started at 10:39:12 AM 3/10/2006

Listing files found while scanning....


No infected files were found.

Logfile of HijackThis v1.99.1
Scan saved at 10:42:08 AM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Internet Content Filter\TheApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINNT\system32\wdfmgr.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Mark P. Carter\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....B_PVER}&ar=home
R3 - Default URLSearchHook is missing
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\TheApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Free DVD Direct] C:\Program Files\Free DVD Direct\Free DVD Direct\FreeDVDDirect.exe /hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = med-web.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = med-web.com
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - c:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#6
rstones12
Posted 10 March 2006 - 10:11 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
gmmartin,

You may need to adjust your firewall settings, check and see if Internet Explorer has access to the Internet.

Did you install this program, I am not familiar with it.

C:\Program Files\Internet Content Filter\TheApp.exe

Open HijackThis and perform a scan only, then place a checkmark next to the following items:

R3 - Default URLSearchHook is missing

Close all browsers and open windows except for HijackThis, then click the Fix Checked button, once that completes close HijackThis.


Thanks,
rstones12
  • 0

#7
gmmartin
Posted 10 March 2006 - 01:10 PM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
TheApp.exe is a filter from SafeEyes that I've been using for a couple of years. I disabled it to see if it might be causing a problem but nothing changed so I enabled it again. I'll try the HJT and let you know.
Thanks for the help
  • 0

#8
gmmartin
Posted 10 March 2006 - 01:17 PM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did the HJT as you instructed and still no change with IE. You asked if IE has access to the internet and I'm not sure how I check that. Again I have access through Outlook on the same computer. But when I open IE it just seems to go no where. I've tried a few other websites and nothing seems to work.
  • 0

#9
rstones12
Posted 11 March 2006 - 10:42 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
gmmartin,

Are you still having issues with accessing the Internet? Have you checked the settings in your Panda Firewall?

Thanks,
rstones12
  • 0

#10
gmmartin
Posted 11 March 2006 - 11:51 AM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Yes, I'm still having issues accessing the internet. I have turned off the Panda firewall and it doesn't have any effect. Should I remove Panda completely? I'm just using the trial version and thought I would change to AVG once the trial is up. I run AVG on my desktop.
  • 0

#11
gmmartin
Posted 11 March 2006 - 12:15 PM

gmmartin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I just removed Panda and now have no problem connecting to the internet. I'll try adding AVG and see if that creates any problem.
Thanks for your help
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP