Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help ~ logfiles posted


  • This topic is locked This topic is locked

#1
DrediKnight

DrediKnight

    Member

  • Member
  • PipPip
  • 11 posts
Thanks for this site and your help!

I have an infection and need assistance. I have followed the steps in the before posting thread and here are the logfiles produced. My connection was cranking like crazy and the inital disinfection process did fix that, but there are still bad things on my machine. Trojan.pakes and Downloader.Zlob came up in the scans. I do not like the disinfection process as it requires me to open IE (firefox user) which reinfects my machine every time, but this probally can't be avoided as the Panda scan seems to need IE. Please take a look at my logs and advise on action to take. Thanks much!


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:42:30 PM 11/2/2006

+ Scan result:



C:\Program Files\M3 GAME Manager\gamesave\bank.dat -> Adware.BetterInternet : Cleaned.
C:\WINNT\system32\regperf.exe -> Downloader.Zlob.ni : Cleaned.
C:\WINNT\system32\dcomcfg.exe -> Downloader.Zlob.nw : Cleaned.
C:\Program Files\FlashFXP\crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
:mozilla.212:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.213:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.214:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.215:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.216:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.217:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.218:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.219:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.220:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.188:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.189:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.190:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.191:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.368:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.370:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.276:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.277:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.278:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINNT\servstat32x.exe -> Trojan.Pakes : Cleaned.
C:\WINNT\system32\eraseme_63653.exe -> Trojan.Pakes : Cleaned.


::Report end






Active Scan Log


Incident Status Location

Adware:adware/dloader Not disinfected c:\winnt\system32\msblank.html
Adware:adware/emediacodec Not disinfected c:\winnt\system32\simpole.tlb
Adware:adware/beehappyy Not disinfected c:\winnt\system32\z13.exe
Adware:adware/cws.yexe Not disinfected c:\winnt\inet20057
Adware:adware/yazzlesudoku Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.go.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cp51weiv.default\cookies.txt[searchportal.information.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\smitRem\Process.exe
Possible Virus. Not disinfected C:\Program Files\mIRC\download\neropp.rar[neropp.exe][nero.exe]
Adware:Adware/SecurityError Not disinfected C:\WINNT\system32\hp362A.tmp
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i


Log end




Hijack this log start

Logfile of HijackThis v1.99.1
Scan saved at 8:30:21 AM, on 11/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [iTunesHelper] __C:\Program Files\iTunes\iTunesHelper.exe__
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O12 - Plugin for .mid: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonlearn...bex/ieatgpc.cab
O20 - AppInit_DLLs: C:\WINNT\system32\nslookup.dll
O20 - Winlogon Notify: winvnv32 - winvnv32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINNT\system32\ZoneLabs\vsmon.exe (file missing)

log end
  • 0

Advertisements


#2
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi DrediKnight,

Sorry for the delay the helpers have been busy.

Create an Uninstall list
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
Please post the Uninstall List and a fresh HijackThis log for me to review.

Thanks.
  • 0

#3
DrediKnight

DrediKnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for your help. Here's the file:


"Minimal SYStem 1.0.10"
7-Zip 4.42
Abacast Client
AC3Filter (remove only)
Ace Utilities 2.3.0
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Reader 6.0.1
Advanced Random Password Generator
American History Lux Demo 1.0
Arusoft Password Generator 2.1
Atomica Deluxe 2.52
Avalanche (remove only)
AVG Anti-Spyware 7.5
avi.NET v2.1.5.0
AviSynth 2.5
Barca 2 (Build 3350)
Better File Series 4.7
Big Balloon Blowout
Big Fish Games Toolbar
BingoCaller
Bink and Smacker
BitTorrent 4.0.4
BlazeDVD 4.0 Professional
BookWorm Deluxe 1.03
Brad Smith Easy SFV Creator
Brother Drivers
Brother MFL-Pro Suite
BurnQuick Data/Audio CD Burner
Cakewalk Guitar Studio 1.0
Candy Crisis
CCScore
CDex extraction audio
CDisplay 1.8
CityDesk
CleanUp!
Combined Community Codec Pack 2006-07-28 (Remove Only)
ComScire PCQNG 2.0.2
Conquest 3.0
Curator Defense
dBpowerAMP DirectShow Decoder Codec
dBpowerAMP Music Converter
dBPowerAMP Real Audio Encoder R3
devkitProUpdater 1.3.4
Digi Pool V1.0 Trial
Diner Dash
Diner Dash (remove only)
Disc Golf Pro (demo)
DivX
DivX Converter
DivX Player
DVD Copy Gold
DVD Decrypter (Remove Only)
Easy CD Creator 5 Platinum
Elasto Mania
Electric
eMule
Entropia Universe
EphPod
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
EvoX Skin Creator
EvoX Skinner 1.2.7
ewido security suite
EzeePDF 3.5
FileMaker Pro 6
FLAC Installer 1.1.2a (remove only)
FlashFXP
FlightZip 2000
FlightZip 2000 (C:\Program Files\FlightZip 2000\)
Fractal eXtreme
Fs Sky World
Funky Farm
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
GrabIt 1.4.7 Beta
Graphmatica
Hamsterball
Hex Workshop
HijackThis 1.99.1
HLPIndex
HLPSFO
Huffyuv AVI lossless video codec (Remove Only)
Insaniquarium Deluxe 1.0
Inspiration 7.5
InterVideo WinDVD
iStory Creator 3.95 BETA
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Jaws PDF Editor 3.0
JGsoft EditPad Lite 6.0.0
Kaspersky Anti-Virus Web Scanner
Kodak EasyShare software
KSU
LasVegasTycoon
Lux
Macromedia Dreamweaver 3
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash 4
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia FreeHand MXa
Macromedia Shockwave Player
MalWhere (remove only)
Masking Password Generator Pro 3.0.16
Match Maker
MediaCoder 0.5.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office Live Meeting 2005
Microsoft Office Professional Edition 2003
Microsoft VGX Q833989
Microsoft XML Parser and SDK
mkw Audio Compression Toolkit
Mozilla Firefox (1.5.0.8)
Mozilla Thunderbird (1.0.7)
MSXML4 Parser
Nero 6 Ultra Edition
Netscape Communicator 4.79
NoLimits Coasters Demo 1.31 (remove only)
Notepad++
Notifier
NVIDIA Drivers
NVIDIA WDM Drivers
OfotoXMI
Opera
OTtBP
OTtBPSDK
Outlook Express Q823353
palmOne
Panda ActiveScan
PaperlessPrinter version 3.0
PaperPort
Passwords by Mask
PCFriendly
Photo Resizer 1.06 (Free version)
Pixelus Deluxe 1.0
POImport Utility 1.1
Pop-Up Stopper Free Edition
PowerDVD
PowerISO
PrintFolder Pro (Trial Version)
QuickSFV (Remove only)
QuickTime
Random Number Generator Pro
Real Alternative 1.45 Beta 1
RealPlayer
Realtek AC'97 Audio
Rename It 3.0
RiskII
RMS_Import
Rock & Roll JEOPARDY! (remove only)
Rocket Mania Deluxe 1.02
RTLSetup
SDP Downloader
Sentinel 2.0
SFR
SHASTA
Shockwave
SiS Audio Driver
SKIN0001
SKINXSDK
SmartUSB56 Voice Modem
Sonic Foundry Sound Forge 6.0
Sony Sound Forge 7.0
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
Squares
Star Wars Empire at War Demo
Starship Tycoon Demo
Starship Tycoon Full
Super Tank version 1.2
SuperCool Random Number Generator V1.04 (Build 4)
Terminal Services Client
TrackManiaDemoBeta1
Trains (remove only)
Trend Micro Anti-Spyware
Tribal Trouble
Truly Random 1.10
UltraISO 6.0
Undisker
Videora iPod Converter 0.91
VPRINTOL
War Games Construction Kit
WebEx
Winamp (remove only)
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB822831
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB823980
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890859
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB893066
Windows 2000 Hotfix - KB893086
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix (SP5) Q818043
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
WIRELESS
World Empire V
WriteExpress Rhymer and Phonetic Finder
XLink Kai Evolution 7
XnView 1.82.4
XPlay 2
ZipScan Evaluation
ZoneAlarm
Zuma Deluxe 1.0
  • 0

#4
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi DrediKnight,

Looks like you have forgotten to include the fresh HijackThis log that I also asked for. Please post a new HijackThis log for me to review.

Thanks.
  • 0

#5
DrediKnight

DrediKnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:58:52 PM, on 11/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [iTunesHelper] __C:\Program Files\iTunes\iTunesHelper.exe__
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O12 - Plugin for .mid: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonlearn...bex/ieatgpc.cab
O20 - AppInit_DLLs: C:\WINNT\system32\nslookup.dll
O20 - Winlogon Notify: winvnv32 - winvnv32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINNT\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

#6
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi DrediKnight,

I ask you not to visit any p0rn or crack sites or download any of this type of material whilst we are cleaning your computer. Not adhering to this leaves your system wide open to further infection and makes my job here more difficult. If you do not follow this advice I will cease to help you as we would be both just wasting our time.

You will need to print out a copy of these instructions, or save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure.

Please download the Killbox by Option^Explicit and save it to your desktop.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Don't do anything with KillBox yet, we will use this program shortly.

Be sure to update AVG Anti-Spyware to the latest definition files.
  • Open AVG Anti-Spyware
  • On top of the main screen click the Update icon.
  • Then click on Manual Update button.
The update will start and the progress bar will show the updates being installed.
(When complete the status area at the top will display ("Update successful" or "No Update Available")

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.

Make sure that these settings are set.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. We will run the scan shortly.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\Program Files\mIRC\download\neropp.rar
  • Click on the submit button
  • Please post the results in your next reply.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - AppInit_DLLs: C:\WINNT\system32\nslookup.dll
O20 - Winlogon Notify: winvnv32 - winvnv32.dll (file missing)

Now close all windows other than HiJackThis (including any browser windows), then click Fix Checked.

Please double-click Killbox.exe to run it.
  • Select: Delete on Reboot then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\nslookup.dll
    c:\winnt\system32\msblank.html
    c:\winnt\system32\simpole.tlb
    c:\winnt\system32\z13.exe
    C:\WINNT\system32\hp362A.tmp
    C:\WINNT\system32\winvnv32.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!)
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Boot into Safe Mode: You can do this by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete the following using Windows Explorer (if present):

c:\winnt\inet20057
C:\WINNT\system32\i << Could be a file or folder

Open AVG Anti-Spyware.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Please do an online scan with Kaspersky WebScanner

Please note: You must use Internet Explorer for this as it uses an ActiveX component.

This scan may take a while to complete, so please be patient and let it finish.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    [color="#009900"]Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the requested logs and Jotti's results along with a fresh HijackThis log. Also let me know how your system is now behaving (any pop-ups, slowness etc.)

Thanks.
  • 0

#7
DrediKnight

DrediKnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, I hit a snag here
When trying to use Jotti's malware scan to uplaod and scan C:\Program Files\mIRC\download\neropp.rar
I got this message: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


I did have the file
c:\winnt\inet20057 and deleted it

I did not have
C:\WINNT\system32\i

But did have some files such as
C:\WINNT\0
C:\WINNT\=
C:\WINNT\A
and one with that same path with the file name of a box shaped letter. I deleted those as well as they looked like they did not belong.

I followed the rest of the directions and here are the logs. Thanks for helping

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:16:41 AM 11/13/2006

+ Scan result:



Nothing found.


::Report end








*KASPERSKY ONLINE SCANNER REPORT*
Monday, November 13, 2006 7:05:53 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4
(Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/11/2006
Kaspersky Anti-Virus database records: 240895

*Scan Settings*
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
*Scan Statistics*
Total number of scanned objects 149823
Number of viruses found 6
Number of infected objects 11 / 0
Number of suspicious objects 0
Duration of the scan process 16:55:10


*Infected Object Name* *Virus Name* *Last Action*
C:\!KillBox\simpole.tlb Infected: Trojan-Downloader.Win32.Zlob.nw skipped
C:\Documents and
Settings\Administrator\.housecall\Quarantine\java.jar-cb66fa7-1486a7e3.zip.bac_a00772/Installer.class
Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and
Settings\Administrator\.housecall\Quarantine\java.jar-cb66fa7-1486a7e3.zip.bac_a00772
ZIP: infected - 1 skipped
C:\Documents and
Settings\Administrator\.housecall\Quarantine\java.jar-cb66fa7-1486a7e3.zip.bac_a00772
CryptFF.b: infected - 1 skipped
C:\Documents and
Settings\Administrator\.housecall\Quarantine\reglogs.dll.bac_a00772
Infected: not-virus:Hoax.Win32.Renos.cz skipped
C:\Documents and
Settings\Administrator\.housecall\Quarantine\winvnv32.dll.bac_a00772
Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local
Settings\Temp\~DFFE73.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is
locked skipped
C:\Program Files\mIRC\mirc.exe Infected:
not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\mtuninst.exe/EXE-file Infected:
not-a-virus:AdWare.Win32.MediaTickets.u skipped
C:\WINNT\mtuninst.exe Embedded EXE: infected - 1 skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\edb.log Object is locked skipped
C:\WINNT\security\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_6a0.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
F:\Xbox\mirc612.exe/data0001.bin Infected:
not-a-virus:Client-IRC.Win32.mIRC.612 skipped
F:\Xbox\mirc612.exe mIRC: infected - 1 skipped
*Scan process completed.*







Logfile of HijackThis v1.99.1
Scan saved at 7:15:05 PM, on 11/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [iTunesHelper] __C:\Program Files\iTunes\iTunesHelper.exe__
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O12 - Plugin for .mid: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonlearn...bex/ieatgpc.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINNT\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

#8
DrediKnight

DrediKnight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Also my system boots real slow. No popups, but I did not have them before. I am still afraid to open IE. Thanks much.
  • 0

#9
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi DrediKnight,

The slowness of booting may not necessarily be related to Malware. I see that you have AVG Anti-Spyware 7.5, Ewido Anti-Spyware, Microsoft AntiSpyware and Spyware Doctor running. Having all of these running at the same time can considerably slow the computer down. I would like you to remove all of these and re-install AVG AntiSpyware so that each of those other programs are completely removed from your system and a fresh copy of AVG Anti-Spyware is installed.

I am unsure if removing Ewido would upset some of the files that AVG Anti-Spyware uses, so that is why I am asking you to uninstall both of these and do the re-installation.

Please go to Start then Control Panel then Add/Remove Programs and remove the following (if present):

AVG Anti-Spyware 7.5
ewido security suite
Microsoft AntiSpyware
Spyware Doctor 3.8


Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

If you still have the installation file on your desktop please skip the download and install the program using the following instructions.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware,

Be sure that you can view hidden files and folders.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Using Windows Explorer please delete the following Folder:

C:\Documents and Settings\Administrator\.housecall\Quarantine
C:\WINNT\system32\i << Could be a file or folder

Please double-click Killbox.exe to run it.
  • Select: Delete on Reboot then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\mtuninst.exe
    F:\Xbox\mirc612.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!)
If your computer does not restart automatically, please restart it manually and let it boot into Normal Mode..

Download Combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply and let me know how your computer is now behaving.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Thanks.
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP