Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

spyware removal help - hijackthis log file [RESOLVED]

Started by rerks , Oct 09 2006 07:49 AM

  • This topic is locked This topic is locked

#1
rerks
Posted 09 October 2006 - 07:49 AM

rerks

    Member

  • Member
  • PipPip
  • 21 posts
i have run the whole five steps in the geeks to go spyware/malware/trojan etc removal steps. (except the trend housecall online scan, bit doesnt work and just freezes, you may be able to help me on that).

here is the supplied hijakcthis log file hope you can help me out. these are the problems i have run into:

- uptodateprotection.net default homepage invasion
- CoolWeb in 'Connect To' folder in start menu (dont know if this is bad)
- multiple pop-ups appearing asking to install fake dodgy spyware and virus apps even when pop-up blocker is on

Logfile of HijackThis v1.99.1
Scan saved at 11:09:03 PM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.news.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0995F025-BE6E-4812-3AE1-047F85303F70} - C:\WINDOWS\system32\svpenim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [xgicmfm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xgicmfm.dll,ebsywze
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://soft.trustinc...stall/tload.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812B84C-17DD-46F7-8EDE-744965F537D0}: NameServer = 61.9.128.16,61.9.128.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 09 October 2006 - 08:53 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello rerks and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans including a Puper infection. Let’s see what we can do.

Please disable Trojan Hunter. Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck Load at startup and Enabled

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

A. Please open AVG Anti Spyware
  • Please install, and update AVG Anti-Spyware/Ewido
  • Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Close AVGas/Ewido. Do not run it yet.
B. Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.
  • In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:
  • c:\rapport.txt
  • AVGas/Ewido log
  • A new HijackThis log (from normal mode).
You may need more than one reply to post the requested logs, otherwise they might get cut off.
  • 0

#3
rerks
Posted 10 October 2006 - 01:48 AM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hey thanks thanks heaps for this! one thing i forgot to disable torjan hunter while doing the steps i dont really want to do them again is that OK? But i have disabled it now!

here are the logs:

c:\rapport/txt

SmitFraudFix v2.107

Scan done at 16:03:52.10, Tue 10/10/2006
Run from C:\Documents and Settings\Thomas\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

AVGas/Ewido log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:58:13 PM 10/10/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{69E0BB4C-D321-F786-B469-C2E0A72146F8} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031495.exe -> Dialer.EgroupDial.w : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031498.dll -> Dialer.EgroupDial.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031496.dll -> Downloader.Small.ddp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031494.exe -> Downloader.Zlob.aoc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP87\A0031579.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP79\A0029149.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP79\A0029155.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP80\A0030155.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP80\A0030162.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP80\A0030170.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP80\A0030172.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP81\A0030185.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP81\A0030247.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP81\A0030252.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP81\A0030305.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP82\A0030393.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031465.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AA063CDD-1026-4743-90EE-5B366878400F}\RP83\A0031497.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).


::Report end

The new Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:05:39 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0995F025-BE6E-4812-3AE1-047F85303F70} - C:\WINDOWS\system32\svpenim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://soft.trustinc...stall/tload.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812B84C-17DD-46F7-8EDE-744965F537D0}: NameServer = 61.9.128.16,61.9.128.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

Again thanks heaps for your help! hopefully we can get the little annoyances off here and get te speed back on this baby!
  • 0

#4
Crustyoldbloke
Posted 10 October 2006 - 02:19 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

It looks like the Puper infection is gone, now to tackle the rest.

Please disable AVGas Guard from running as it will hinder our attempts to change anything. Right click on the orange/multicoloured icon with an S, in the taskbar (near the clock) and uncheck Resident Shield. The icon will change to a grey colour.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
combofix.exe

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0995F025-BE6E-4812-3AE1-047F85303F70} - C:\WINDOWS\system32\svpenim.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://soft.trustinc...stall/tload.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\svpenim.dll
C:\WINDOWS\system32\xgicmfm.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-malware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. How's the PC running now?
  • 0

#5
rerks
Posted 10 October 2006 - 04:49 PM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hey phil thanks for the reply and the steps i will be sure to do them! but i have a weird problem: when i want to install killbox and download comobfix i get this microsoft publisher 2002 install box popping up!!?? (refer to attachments) it then asks for a cd and when i click OK it freezes. any ideas?
  • 0

#6
rerks
Posted 10 October 2006 - 05:12 PM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
sorry no attachments could get it to work

p.s. pc is more responsive, internet speed is a little quicker and starts-up much faster! cheers
  • 0

#7
Crustyoldbloke
Posted 10 October 2006 - 08:17 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I am totally dumbstruck! I have never heard of anything like that. Do you have Microsoft Publisher 2002 on your PC?

Firstly, reboot, sometimes that alone will remedy it, then try again and this time if it happens again, press Ctrl, Alt and Delete together to bring up the TaskManager. Have a look in the running processes, if it is there highlight it and click End Process.
  • 0

#8
rerks
Posted 11 October 2006 - 01:19 AM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hey again thanks that worked and i installed killbox. I have publisher 2002 installed in office 2002 but hardly use it, so should i uninstall it?
Also the link for combofix isnt working? i think installing firefox would make it work, but im not sure if i should use it with along with IE still on the pc
  • 0

#9
Crustyoldbloke
Posted 11 October 2006 - 02:35 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
The author of ComboFix withdrew the tool due to a coding error, we were informed about 10 hours ago.

Please continue with the rest and give ComboFix a last try before posting your HJT log.

BTW, I wish I could explain your error, but I wouldn't uninstall the programme just yet; perhaps consider it if it reoccurs.
  • 0

#10
rerks
Posted 11 October 2006 - 11:12 PM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
combofix.exe log

Thomas - 06-10-12 14:26:29.03 Service Pack 2
ComboFix 06.10.11 - Running from: "C:\spyware apps"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{E4C2E236-0702-3081-0517-02011102003d}


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-11 17:44 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2006-10-09 23:39 21,312 --a------ C:\WINDOWS\choice.exe
2006-10-09 17:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-08 12:10 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-08 12:03 95,784 --a------ C:\WINDOWS\system32\ISafeIf.dll
2006-10-08 12:03 75,304 --a------ C:\WINDOWS\system32\VetRedir.dll
2006-10-08 12:03 75,304 --a------ C:\WINDOWS\system32\iSafProd.dll
2006-10-08 12:03 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2006-10-08 12:03 21,031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2006-10-08 12:03 15,735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2006-10-08 12:03 15,478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2006-10-08 12:03 116,264 --a------ C:\WINDOWS\UnVet32.exe
2006-10-08 12:03 112,168 --a------ C:\WINDOWS\AVShlExt.dll
2006-10-08 12:03 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2006-10-07 00:32 724,992 --a------ C:\WINDOWS\iun6002.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 14:27 -------- d-a------ C:\Program Files\Common Files
2006-10-12 13:43 -------- d-------- C:\Documents and Settings\Thomas\Application Data\uTorrent
2006-10-11 17:44 -------- d-------- C:\Program Files\Online Services
2006-10-11 17:25 -------- d-------- C:\Program Files\MSN
2006-10-10 20:03 -------- d-------- C:\Program Files\CCleaner
2006-10-09 23:59 663 --a------ C:\Documents and Settings\Thomas\Application Data\AdobeDLM.log
2006-10-09 23:59 508 --a------ C:\Documents and Settings\Thomas\Application Data\dm.ini
2006-10-09 23:55 -------- d-------- C:\Program Files\Windows Defender
2006-10-09 23:08 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-09 23:08 -------- d-------- C:\Documents and Settings\Thomas\Application Data\Adobe
2006-10-09 22:30 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-09 22:27 -------- d-------- C:\Documents and Settings\Thomas\Application Data\TrojanHunter
2006-10-09 22:15 -------- d-------- C:\Documents and Settings\Thomas\Application Data\Syntrillium
2006-10-09 17:38 -------- d-------- C:\Program Files\Grisoft
2006-10-08 12:03 -------- d-------- C:\Program Files\CA
2006-10-05 13:37 -------- d-------- C:\Program Files\Smart Projects
2006-09-27 16:46 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-08 18:04 -------- d-------- C:\Program Files\iPod
2006-09-06 21:18 -------- d-------- C:\Documents and Settings\Thomas\Application Data\SAS
2006-09-03 01:32 -------- d-------- C:\Program Files\Hardwood Hearts
2006-08-25 22:52 -------- d---s---- C:\Documents and Settings\Thomas\Application Data\Microsoft
2006-08-21 21:51 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 18:44 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 18:44 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 19:29 -------- d-------- C:\Program Files\SilverCreekCommonFiles
2006-08-20 19:29 -------- d-------- C:\Program Files\Silver Creek Installer
2006-08-16 22:42 -------- d-------- C:\Program Files\NoAdware4
2006-08-15 09:36 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 22:54 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 17:54 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-16 11:21 45568 --------- C:\WINDOWS\ATF-Cleaner.exe
2006-07-16 11:01 2144 --------- C:\WINDOWS\FixTC.reg
2006-07-14 20:12 67176 --a------ C:\Documents and Settings\Thomas\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MsmqIntCert"="regsvr32 /s mqrt.dll"
"AdwareAlert"="C:\\Program Files\\AdwareAlert\\AdwareAlert.exe -boot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NkvMon.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\NkvMon.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Nikon\\NkView6\\NkvMon.exe "
"item"="NkvMon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\Thomas\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Thomas\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CaAvTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAVRID]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVRID"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVRID.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dlmMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeDownloadManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\" restart=1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IMONTRAY]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="imontray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Intel® Active Monitor\\imontray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpyKiller]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spykiller"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpyKiller\\spykiller.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xgicmfm.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xgicmfm"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xgicmfm.dll,ebsywze"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"SuperProServer"=dword:00000003


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061010-213404-285
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
backup-20061010-213403-763
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab40641.cab
backup-20061010-213402-371
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://soft.trustinc...stall/tload.cab
backup-20061010-213402-622
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
backup-20061010-213402-915
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Thomas\My Documents\Police Quest 3\dsd\PartyPoker.exe (file missing)
backup-20061010-213401-346
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20061010-213401-741
O2 - BHO: (no name) - {0995F025-BE6E-4812-3AE1-047F85303F70} - C:\WINDOWS\system32\svpenim.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Professional.job
C:\WINDOWS\tasks\C9E42F3C94E00BB0.job
C:\WINDOWS\tasks\eTrust Vet Antivirus.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-12 14:28:20.45
ComboFix.txt

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 14:41, on 06-10-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812B84C-17DD-46F7-8EDE-744965F537D0}: NameServer = 61.9.128.16,61.9.128.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

Cheers!
  • 0

Advertisements

#11
Crustyoldbloke
Posted 12 October 2006 - 02:35 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

The logs look good however, ComboFix has alerted me to four things, three are deletions and the other one could be a LOP infection, although I do not see any other signs of it. We best just check. Firstly, let's do the deletions, two are uninstalls of rogue programmes.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

NoAdware4
AdwareAlert

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\iun6002.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
[b] --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

How's the PC running now?
  • 0

#12
rerks
Posted 12 October 2006 - 03:51 AM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
NoLop log

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Thomas\Desktop
[06-10-12]
[19:00:58]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\C9E42F3C94E00BB0.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Samsung
C:\Documents and Settings\All Users\Application Data\Sas
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Thomas\Application Data\.bittorrent
C:\Documents and Settings\Thomas\Application Data\Adobe
C:\Documents and Settings\Thomas\Application Data\Ahead
C:\Documents and Settings\Thomas\Application Data\Apple Computer
C:\Documents and Settings\Thomas\Application Data\Arcsoft
C:\Documents and Settings\Thomas\Application Data\Corn Dart 01 -- EMPTY Directory
C:\Documents and Settings\Thomas\Application Data\Dvdcss
C:\Documents and Settings\Thomas\Application Data\Funkitron
C:\Documents and Settings\Thomas\Application Data\Google
C:\Documents and Settings\Thomas\Application Data\Help
C:\Documents and Settings\Thomas\Application Data\Identities
C:\Documents and Settings\Thomas\Application Data\Intertrust
C:\Documents and Settings\Thomas\Application Data\Intervideo
C:\Documents and Settings\Thomas\Application Data\Lavasoft
C:\Documents and Settings\Thomas\Application Data\Logo Love -- EMPTY Directory
C:\Documents and Settings\Thomas\Application Data\Macromedia
C:\Documents and Settings\Thomas\Application Data\Microsoft
C:\Documents and Settings\Thomas\Application Data\Msn6
C:\Documents and Settings\Thomas\Application Data\Nikon
C:\Documents and Settings\Thomas\Application Data\Pokeracademypro2demo
C:\Documents and Settings\Thomas\Application Data\Real
C:\Documents and Settings\Thomas\Application Data\Samsung
C:\Documents and Settings\Thomas\Application Data\Sas
C:\Documents and Settings\Thomas\Application Data\Sun
C:\Documents and Settings\Thomas\Application Data\Syntrillium -- EMPTY Directory
C:\Documents and Settings\Thomas\Application Data\Sysil
C:\Documents and Settings\Thomas\Application Data\Trevoli
C:\Documents and Settings\Thomas\Application Data\Trojanhunter
C:\Documents and Settings\Thomas\Application Data\Utorrent
C:\Documents and Settings\Thomas\Application Data\Vlc

Hijackthislog

Logfile of HijackThis v1.99.1
Scan saved at 19:11, on 06-10-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812B84C-17DD-46F7-8EDE-744965F537D0}: NameServer = 61.9.128.16,61.9.128.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

PC is much more repsonsive and no sign of spyware is present thanks! is it finished? if show which apps and folders should i keep and which can i delete? I have the following:

- Aware SE Professional
- Privacy Eraser Pro
- Spybot S&D
- Trojan Hunter
- Hijackthis
- AVG Anti-Spyware
- combofix
- killbox
- SmitfraudFix
- CW Shredder
- NoLop
- Windows Defender

Once again thanks for your help!
Cheers

p.s. should i use firefox along with IE 6? i heard that it is bad to have two browsers, and you should not delete IE as it could stop other programs from working
  • 0

#13
rerks
Posted 12 October 2006 - 03:56 AM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
* - CCleaner *
  • 0

#14
Crustyoldbloke
Posted 12 October 2006 - 04:13 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Tom

Nearly there now.

Looks like you did have LOP after all.

We have some deleting to do, otherwise everything looks good.

Of the programmes you mentioned, I would get rid of these:-

- Privacy Eraser Pro
- combofix
- killbox
- SmitfraudFix
- NoLop

The empty folders need to be deleted as some of them (possibly all) belong to LOP:

C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Thomas\Application Data\Corn Dart 01 -- EMPTY Directory
C:\Documents and Settings\Thomas\Application Data\Logo Love -- EMPTY Directory

Adware Alert is still on your PC and in startup too. After the fix, delete all traces of it by using search.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate and delete this folder:

C:\Program Files\AdwareAlert\

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log, from normal mode, and I will take another look.

MSIE and FireFox will quite happily live together on the same PC, in fact, it is virtually impossible to do without MSIE if you use and Microsoft IM programmes since MSIE is embedded. I wonder if there will be a court case on that issue, as it is protectionism?

I would be inclined to make FF default browser.

How's the PC running now?
  • 0

#15
rerks
Posted 12 October 2006 - 10:36 AM

rerks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 02:03, on 06-10-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812B84C-17DD-46F7-8EDE-744965F537D0}: NameServer = 61.9.128.16,61.9.128.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

Thanks for the info on FF, pc is running nicely. Is the computer free of spyware etc yet? Once agin CHEERS!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP