Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

much unknown spy/malware


  • This topic is locked This topic is locked

#1
andr3w266

andr3w266

    New Member

  • Member
  • Pip
  • 5 posts
trying to fix a friends laptop, and having some major problems. keep getting a pop up from a question mark icon in the sys tray, warning of malware and suggesting i click to download removal software. this is obviously the first problem, but the machine is running really slow so i reckon there's more. i've run all the usul tests, atf cleaner, adaware, avg and avg anti spyware, f-prot antivirus, spybot s+d and lastly panda active scan, which said i still had adware and viruses. will post avtive scan, avgas and hijack this logs below. would really appreciate any help you guys can give.

Activescan log
Adware:Adware/VirusBurst Not disinfected C:\WINDOWS\System32\tazth.dll
Adware:adware/securityerror Not disinfected C:\Documents and Settings\SARAH\Favorites\Antivirus Test Online.url
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Virus:Eicar.Mod Not disinfected C:\Program Files\FSI\F-Prot\fpav-help.chm[/prob-scan-ok.html]
Virus:Eicar.Mod Not disinfected C:\Program Files\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpav-help.chm][/prob-scan-ok.html]
Possible Virus. Not disinfected C:\WINDOWS\F?nts\alg.exe
Virus:Trj/Goldun.MD Disinfected C:\WINDOWS\system32\wmdconf32.dll
Virus:Trj/Spammer.CD Disinfected C:\WINDOWS\system32\wnmmcdr321.dll

avgas log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 17:07:22 28/10/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{f31aee4a-1530-4fef-8537-79c6973bff9a} -> Adware.VirusBurst : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\gaonic -> Adware.VirusBurst : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{A569F6C9-29F0-43BC-80CF-6BA138C66108} -> Adware.VirusBurster : Cleaned with backup (quarantined).
C:\!KillBox\ishost.exe -> Downloader.Zlob.arx : Cleaned with backup (quarantined).
C:\!KillBox\ismini.exe -> Downloader.Zlob.arx : Cleaned with backup (quarantined).
C:\Documents and Settings\SARAH\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.


::Report end

hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 19:35:03, on 28/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\SARAH\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DE1C218-23CA-44B7-AADF-C9E3D3737981} - C:\WINDOWS\System32\wdllfuf-32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdgm.dll
O20 - Winlogon Notify: winilc32 - winilc32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe (file missing)
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi andr3w266

Welcome to GTG! :whistling:

* Click here to download SmitfraudFix.zip and save it to your desktop.
  • Unzip (extract) the contents of SmitfraudFix.zip to a new SmitfraudFix folder on your desktop.
  • Don't do anything with it yet. We'll run it later in safe mode.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


* Update AVG Anti-Spyware:
  • On the main screen click on the "Update now" link and the update should begin immediately.
    • If the update does not begin, select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • When the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • If you cannot download the updates, update manuallly according to the directions here.
  • If you do the manual update, look under "Full database" and click the "Download now" button.
  • DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run AVG Anti-Spyware:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • It will then begin the scanning process, be patient it may take a while for the scan to complete.
  • When the scan is complete, you must select an action.
  • Select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen
  • Save the report as a text file and save it to your desktop.
  • Close AVG Anti-Spyware.

* Run the SmitfraudFix:
  • Open the SmitfraudFix folder again and double-click the smitfraudfix.cmd file.
  • Select option #2 - Clean by typing 2 and press "Enter" to delete the infected files.
  • You will receive this prompt:
    • "Registry cleaning - Do you want to clean the registry ?"
  • Answer "Yes" by typing Y and press "Enter" and it will begin cleaning the infection.
  • Next the tool will check to see if wininet.dll is infected.
  • You may be prompted to replace the infected wininet.dll file if it is found.
  • Answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process.
  • If it doesn't restart your computer automatically when it is finished, restart it back to Windows normally yourself.
  • A text file will appear onscreen, with results from the cleaning process.
  • Copy and paste the contents of that report into your next reply to this thread along with a new Hijack This log.
  • If the report doesn't open after you restart back to Windows normally, the report can be found at the root of the system drive, usually C:\rapport.txt.

  • 0

#3
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Also please open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.
  • 0

#4
andr3w266

andr3w266

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
have re-run avgas (no updates available) and ran smitfraudfix. this seems to have possibly fixed the immediate problems, but posting logs below in case theres anything else

SmitFraudFix v2.115

Scan done at 22:21:38.46, 28/10/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

HiJack this uninstall manager list

ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
Belkin 802.11g Wireless Card
blueyonder Instant Support Tool
CleanUp!
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Disney's Extremely Goofy Skateboarding
EPSON PhotoQuicker3.4
EPSON Printer Software
Finding Nemo: Nemo's Underwater World of Fun
FinePixViewer Ver.4.3
F-Prot for Windows
FUJIFILM USB Driver
HijackThis 1.99.1
HP Extended Capabilities 6.1
HP Imaging Device Functions 6.1
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
HP Photosmart Essential
HP PSC & OfficeJet 6.1.A
hp psc 2100 series
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
Inactive HP Printer Drivers (Remove only)
InterVideo WinDVD
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft PhotoDraw 2000
Microsoft Word 2002
Microsoft Works 7.0
MSI MS-551X MEGA STICK
Notebook Utilities
OIN
One-Touch Buttons
Outlook Express Update Q330994
Panda ActiveScan
RAW FILE CONVERTER LE
RealPlayer Basic
Safety Bar
ScanToWeb
Scientific-Atlanta WebSTAR 2000 series Cable Modem
SD Viewer
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
USB Driver for Panasonic DVC (with Web Camera)
Viewpoint Media Player (Remove Only)
Windows Backup Utility
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB822603
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
  • 0

#5
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go to Add/Remove programs and uninstall OIN

* Click here to download OiUninstaller.exe and save it to your desktop.

Click on the OiUninstaller.exe then follow the prompts from there.


* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#6
andr3w266

andr3w266

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
did as suggested for removing OIN. still having problems. posting active scan and hijack this logs below. stil grateful for all the help


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and settings\SARAH\Favorites\Antivirus Test Online.url
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\swsc.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\SARAH\Cookies\[email protected][1].txt
Possible Virus. Not disinfected C:\WINDOWS\F?

nts\alg.exe
hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 18:24:03, on 29/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SARAH\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DE1C218-23CA-44B7-AADF-C9E3D3737981} - C:\WINDOWS\System32\wdllfuf-32.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162127953195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdgm.dll
O20 - Winlogon Notify: winilc32 - winilc32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe (file missing)
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#7
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click here to download ATF Cleaner by Atribune and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe

O2 - BHO: (no name) - {5DE1C218-23CA-44B7-AADF-C9E3D3737981} - C:\WINDOWS\System32\wdllfuf-32.dll (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdgm.dll

O20 - Winlogon Notify: winilc32 - winilc32.dll (file missing)



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\NT\nrcs.exe

    c:\windows\switchagreement.txt

    C:\WINDOWS\System32\kbdgm.dll


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]* Restart back into Windows normally now.


* Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

Copy and Paste:

sc stop ntrcs

Hit Enter

Copy and Paste:

sc delete ntrcs

Hit Enter

Type exit then hit enter again to exit the command window.




* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

Edited by Flrman1, 29 October 2006 - 03:15 PM.

  • 0

#8
andr3w266

andr3w266

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
done all the things you mentioned and attaching new hijackthis log and bitdefender report

Logfile of HijackThis v1.99.1
Scan saved at 18:51:54, on 30/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\SARAH\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162127953195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Attached Files


  • 0

#9
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
How is everything now?
  • 0

#10
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP