Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hi Jack This Post.||Annoying pop up [RESOLVED]

Started by matt. , May 18 2006 03:01 AM

  • This topic is locked This topic is locked

#1
matt.
Posted 18 May 2006 - 03:01 AM

matt.

    Member

  • Member
  • PipPip
  • 80 posts
Yeha i got some annoying ouoter info pop up heres the HI JACK THIS THINGO

Logfile of HijackThis v1.99.1
Scan saved at 4:58:56 PM, on 18/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ASKS~1\services.exe
C:\Documents and Settings\mattmatt\Application Data\?icrosoft.NET\r?ndll.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mattmatt\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - blank (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eaos] "C:\PROGRA~1\ASKS~1\services.exe" -vt mt
O4 - HKCU\..\Run: [Klnfcmo] C:\Documents and Settings\mattmatt\Application Data\?icrosoft.NET\r?ndll.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements

#2
matt.
Posted 18 May 2006 - 05:14 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Please Help its been lyk 7 hours now....

Edited by matt., 18 May 2006 - 08:46 AM.

  • 0

#3
Jayzeee
Posted 21 May 2006 - 02:50 PM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Hi matt. and welcome to Geeks to Go,

I am currently working on a fix for you, as soon as a staff member reviews it, I will post it here,

Thankyou for your patience.
  • 0

#4
Jayzeee
Posted 21 May 2006 - 04:17 PM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Step 1

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:0
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - blank (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Klnfcmo] C:\Documents and Settings\mattmatt\Application Data\?icrosoft.NET\r?ndll.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

My Web Search (Words might vary, it will be somthing similar)

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\PROGRA~1\MYWEBS~1 Please note that these are not the full folder names, just look for the first few letters.
C:\Documents and Settings\mattmatt\Application Data\?icrosoft.NET

After that, Reboot.


Step 2

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\PROGRA~1\ASKS~1\services.exe
  • Click on the submit button
  • Please post the results in your next reply.
Step 3

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, the Jotti Results, and a new HijackThis log

  • 0

#5
matt.
Posted 23 May 2006 - 05:56 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Jottlis Scan thing: "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
so i didnt noe what to do.

Active Scan:
Incident Status Location

Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/wupd Not disinfected c:\program files\Windows ServeAd
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Adware:adware/purityscan Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\FunWebProducts.DataControl
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][1].txt
Spyware:Cookie/adstat Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Anne\Cookies\anne@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Anne\Cookies\anne@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Anne\Cookies\anne@burstnet[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Anne\Cookies\[email protected][1].txt

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:55:23 PM, on 23/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mattmatt\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe





When u told me to find:
C:Progra~1\MYWEBS~1 file wasnt found and same with
C:documents&settings\mattmatt ect. wasnt found.

ok theres the info you Need:D hope this helps

while i remember i got some other doofus pop up thats come up.
the website is http://dl2media.com/show.php/13/1
um yeha ive blocked the url but its stilla annoying

Edited by matt., 23 May 2006 - 06:00 AM.

  • 0

#6
Jayzeee
Posted 24 May 2006 - 02:50 AM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):

c:\WINDOWS\bh.dll
C:\WINDOWS\aip.exe

After that, Reboot.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Close all other open windows and click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Close all other open windows and click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Close all other open windows and click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-malware it is a free version of the program.
  • Install ewido anti-malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Reopen HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post, along with the Ewido report.txt and a new Hijackthis log

Let me know if you are still getting popups...
  • 0

#7
matt.
Posted 26 May 2006 - 04:27 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:20:05 PM, 26/05/2006
+ Report-Checksum: 2687E5CF

+ Scan result:

[3572] c:\WINDOWS\bh.dll -> Trojan.Delf.px : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Anne\Application Data\Mozilla\Firefox\Profiles\99cgng9b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Anne\Cookies\anne@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Anne\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Anne\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Anne\Cookies\anne@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.12:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.15:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.18:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.19:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.28:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.29:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.31:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.38:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.51:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.52:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.53:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.54:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.55:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.56:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.57:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.58:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.90:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.91:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.122:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.123:C:\Documents and Settings\mattmatt\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\mattmatt\Desktop\backups\backup-20060526-161539-613.dll -> Trojan.Delf.px : Cleaned with backup
C:\Documents and Settings\mattmatt\Local Settings\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\Cache\4500CCA3d01/siprj.exe -> Trojan.Delf.px : Error during cleaning
C:\WINDOWS\bh.dll -> Trojan.Delf.px : Cleaned with backup
C:\WINDOWS\system32\mswins.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\oins.exe.tcf -> Downloader.PurityScan.cm : Cleaned with backup


::Report End


Uninstall_list


Ad-aware Pro 6.0
Adobe Acrobat 5.0
Battlefield 1942
Camera Plus
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
dBpowerAMP Music Converter
dBpowerAMP WMA V9.1 Codec
DivX
DivX Player
ewido anti-malware
Google Toolbar for Internet Explorer
Hide IP Platinum 1.21
HijackThis 1.99.1
HP Photo & Imaging 3.1
HP PSC & OfficeJet 3.0
HP Software Update
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Lemmings for Windows 95
LimeWire PRO 4.9.23
Macromedia Shockwave Player
MAIET entertainment - Gunz
Memories Disc Creator 2.0
Messenger Plus! 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2000
Microsoft Windows Journal Viewer
Mozilla Firefox (1.5.0.3)
MSN Messenger 7.5
MSN Toolbar
Mu
Need for Speed™ Most Wanted
nProtect KeyCrypt
NVIDIA Drivers
NVIDIA WDM Drivers
Panda ActiveScan
PC Doc Pro 3.5
POD-Bot 2.5
QuickTime
RealProducer G2
Realtek AC'97 Audio
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Spybot - Search & Destroy 1.4
Steam™
Trend Micro Anti-Spam
Trend Micro PC-cillin Internet Security 2005
TrojanHunter 4.5
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Wave Splitter 2.10
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XoftSpy
  • 0

#8
Jayzeee
Posted 26 May 2006 - 04:49 AM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Please post back a new HijackThis log, thanks :whistling:
  • 0

#9
matt.
Posted 26 May 2006 - 08:28 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:28:28 PM, on 26/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mattmatt\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#10
matt.
Posted 26 May 2006 - 08:36 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

these look a bit odd. becz i the D:/ drive is my cd drive becz i decided to change it one day and i cant remember how to change it back so... yeha they look weird... becz i dont think that sh*t can come from a cd but ur the expert ill let you decide i was just letting u know

Edited by matt., 26 May 2006 - 08:36 AM.

  • 0

#11
Jayzeee
Posted 26 May 2006 - 05:44 PM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts

O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

these look a bit odd. becz i the D:/ drive is my cd drive becz i decided to change it one day and i cant remember how to change it back so... yeha they look weird... becz i dont think that sh*t can come from a cd but ur the expert ill let you decide i was just letting u know


Those entries are related to startup folders in the registry that are loaded when windows boots up. If D:\ is your CD drive, I can only assume that these files cannot be found upon boot up, and the applications do not load.

You would almost certainly be receiving "missing file" errors when you boot your PC.

I also notice that none of these apps are listed in your unistall list. If you do not use Zone Alarm Pro, Screen shot Utility, FreeRAM XP Pro or Lexmark X73 Button Manager. You can have HijackThis fix them.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Zone Alarm Pro] D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Screen shot Utility] D:\Program Files\ScreenShot Utility\ScreenshotUtility.exe
O4 - HKLM\..\Run: [FreeRAM XP Pro] D:\Program Files\FreeRam XP Pro\FreeRAM XP Pro.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

LimeWire PRO 4.9.23 - This one is optional, P2P programs allow malware to install itself on your PC. I recommend that you uninstall this.

Do you know what Mu is in Add/Remove programs? If you don't then please Uninstall it.

Please do an online scan with Kaspersky WebScanner, just to make sure you are clean.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along with a new HijackThis log
How are you running?
  • 0

#12
matt.
Posted 27 May 2006 - 09:54 PM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Infected Object Name Virus Name Last Action
C:\Documents and Settings\mattmatt\Local Settings\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\Cache\4500CCA3d01/si22939.dll/data0001 Infected: Trojan.Win32.Delf.px skipped
C:\Documents and Settings\mattmatt\Local Settings\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\Cache\4500CCA3d01/si22939.dll Infected: Trojan.Win32.Delf.px skipped
C:\Documents and Settings\mattmatt\Local Settings\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\Cache\4500CCA3d01/siprj.exe Infected: Trojan.Win32.Delf.px skipped
C:\Documents and Settings\mattmatt\Local Settings\Application Data\Mozilla\Firefox\Profiles\88o6uj2e.default\Cache\4500CCA3d01 ZIP: infected - 3 skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP10\A0006066.tlb Infected: Trojan-Downloader.Win32.Zlob.mq skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP10\A0006072.exe Infected: Trojan-Downloader.Win32.Zlob.mq skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP10\A0006076.dll Infected: not-virus:Hoax.Win32.Renos.cw skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP100\A0024441.dll/data0001 Infected: Trojan.Win32.Delf.px skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP100\A0024441.dll Inno: infected - 1 skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP100\A0024442.exe Infected: Trojan.Win32.Delf.px skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP102\A0024551.exe Infected: Trojan.Win32.Delf.px skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP105\A0025614.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP117\A0027796.dll Infected: Trojan.Win32.Delf.px skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP117\A0027797.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP117\A0028746.dll Infected: Trojan.Win32.Delf.px skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP13\A0006139.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP14\A0006166.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP14\A0006238.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP16\A0006240.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP17\A0006329.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP17\A0006408.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP19\A0006513.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP20\A0006537.exe Infected: Trojan-Downloader.Win32.PurityScan.cm skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP20\A0006538.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP20\A0006555.exe Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP29\A0008918.tlb Infected: Trojan-Downloader.Win32.Zlob.mb skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP29\A0008919.dll Infected: not-virus:Hoax.Win32.Renos.cw skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP29\A0009085.exe/stream/data0281 Infected: Trojan.VBS.Small.t skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP29\A0009085.exe/stream Infected: Trojan.VBS.Small.t skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP29\A0009085.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP63\A0017433.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\System Volume Information\_restore{C658E671-D8C9-4A66-BE6B-CD325E463E23}\RP95\A0022340.exe Infected: Trojan-Downloader.Win32.PurityScan.cm skipp


lol alot of trojans.

Logfile of HijackThis v1.99.1
Scan saved at 11:54:27 AM, on 28/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\mattmatt\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#13
Jayzeee
Posted 28 May 2006 - 03:54 PM

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Those Trojans are in the system restore folder. Please follow these instructions...

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

You need to clear your Firefox cache:

Lauch firefox and go Tools > Options, click on the Cache tab then click Clear Cache Now.

:whistling: Your log looks clean :blink:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Detect and Removal
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
Prevention
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#14
matt.
Posted 31 May 2006 - 05:35 AM

matt.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Hello,

Thank you very much for your help.
Everything is running fine.
if i can donate i will :whistling:
ok guys thanks alot.
  • 0

#15
therock247uk
Posted 01 June 2006 - 06:59 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP