Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unkown Hijack

Started by Felix Osborn , Dec 30 2006 12:36 PM

  • This topic is locked This topic is locked

#1
Felix Osborn
Posted 30 December 2006 - 12:36 PM

Felix Osborn

    New Member

  • Member
  • Pip
  • 6 posts
Thanks in advance for your help.
I have not been able to follow all the steps you wanted but I have managed to get in a few of them.
All the .EXE and .LNK files open Ad-watch.
I have managed to run ATF Cleaner, NOD32 and HiJackThis.
To be able to do this I had to open task manager then tell it to run new task. Then once I had told it which program to run it poped up with the "search the web or select a program to run this file" thingumy.
(Please excuse my lame termanology and spelling)
I then had to browse to and reselect the appropriate program again.
I am having to use either my PSP or my neighbours computer to acess the internet so my responses may be slow.
Any help would be much appreciated.
Thank you very much for any help.



Logfile of HijackThis v1.99.1
Scan saved at 17:49:49, on 30/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\diana\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A8DDD0FF-F428-C2D8-F382-A248F2137F40} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\System Mechanic Professional 6\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\System Mechanic Professional 6\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Yet again thanks in advance for any help.
Regards
Felix Osborn
  • 0

Advertisements

#2
Crustyoldbloke
Posted 06 January 2007 - 04:45 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Felix/Diana and welcome to Geeks to Go

Apologies for your wait.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware. Let’s see what we can do.

I notice that you have MSN Messenger plus installed. The file msgplus.exe is distributed as a third party MSN extension. However it is also spyware if installed with the sponsor programme it offers to install. If this optional sponsor programme was installed, this process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising pop-ups.

Please uninstall it until your PC has been declared clean, then you can if you wish download a fresh copy, but this time read the EULA and do not grant permission for the third party software.

See this link for further information: http://msmvps.com/bl...4/08/89789.aspx

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
AVG AntiSpyware
combofix.exe

Please install, and update AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A8DDD0FF-F428-C2D8-F382-A248F2137F40} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O20 - AppInit_DLLs: MsgPlusLoader.dll

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please).
  • 0

#3
Felix Osborn
Posted 09 January 2007 - 02:24 PM

Felix Osborn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:48:27 06/01/2007

+ Scan result:



HKU\S-1-5-21-1801674531-746137067-1343024091-500\Software\New.net -> Adware.NewDotNet : Ignored.
:mozilla.97:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.21:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.22:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.23:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.26:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.13:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.53:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.54:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.55:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.56:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.57:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.58:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.59:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.60:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.30:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.71:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.72:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.73:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.74:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.68:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.69:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.70:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.95:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.94:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.96:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.67:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.61:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.62:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.63:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.64:C:\Documents and Settings\diana\Application Data\Mozilla\Firefox\Profiles\n0geb6k7.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\diana\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\All Users\Desktop\Bits&Pieces\Eset[1][1].NOD32.Antivirus.Administrator.Edition.v2.50.16.PROPER.R.ZIP/Eset.NOD32.Antivirus.Administrator.Edition.v2.50.16.PROPER.READ.NFO.REPACK-DVT/DVT/NOD32.exe -> Trojan.Crack.h : No action taken.



::Report end

Im afraid I lost the CC log. I was reading too far ahead in your message. Really sorry.
Whilst attempting to run ComboFix (Still having to use the awkward way round using the task manager to get anything to run) It came up with the error message:

"regedit.exe"
"This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel."

Then whilst scanning it said the same thing again.

It did manage to run though but I don't know if it worked compleatly.
Heres the log.



diana - 09/01/2007 20:17:41.11 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\All Users\Desktop"
Command switches used :: "C:\Documents and Settings\All Users\Desktop\combofix.exe"

((((((((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009/01/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2014/11/2002 11:17 179712 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\WLMEL51B.SYS
2011/07/2005 14:46 372480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\BCMWL5.SYS
2010/06/2005 05:09 139528 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
2010/05/2005 01:17 332544 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\srv.sys
2009/03/2006 15:29 3650368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys
2009/01/1996 10:38 283648 --ah----- C:\WINDOWS\uninst.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"AtiPTA"="Atiptaxx.exe"
"ICSDCLT"="C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\WINDOWS\\SYSTEM32\\ICSDCLT.DLL,ICSClient"
"PMXInit"="C:\\WINDOWS\\SYSTEM32\\PMXINIT.EXE -SetupRunOnce"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"C-Media Mixer"="Mixer.exe /startup"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM32\\E_S10IC2.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"InCD"="C:\\Program Files\\ahead\\InCD\\InCD.exe"
"LoadQM"="loadqm.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 09/01/2007 20:20:34.34
C:\ComboFix.txt ... 09/01/2007 20:20

Sorry it has taken me a while to get this far. I have had a very busy few days and haven't had a chance to touch the computer.

Thanks for the help. Just hope we can get it sorted.
  • 0

#4
Crustyoldbloke
Posted 09 January 2007 - 05:05 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Diana

No problem with the short wait, my system closes threads after 10 days of inactivity.

The 3 logs were: AVG, ComboFix and HJT.

The AVG log shows the bad stuff and if you look at the end of each line you will see "No action taken". This is because you did not set it up correctly, so all the bad stuff is still there. Please reread the instructions and run the scan again.

Combofix doesn't look right to me, so I think we will have to correct your system before running that again.

HJT log, I didn't get.

You appear to have lost some associations, so we can fix that (I hope) with SFC.

Please run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the programme, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.
No Windows CD? See here: No Windows CD

To fix the missing XP files, download this programme to your desktop

XP Home:

Missing Files XP Home

XP Professional:

Missing Files XP Pro.

Double-click the programme on your desktop to install the missing files.

Reboot normally and try ComboFix again.

Please post the three logs as above: AVGas, ComboFix and HJT.
  • 0

#5
Felix Osborn
Posted 10 January 2007 - 05:24 PM

Felix Osborn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:54:47 10/01/2007

+ Scan result:



HKU\S-1-5-21-1801674531-746137067-1343024091-500\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).


::Report end



Administrator - 10/01/2007 23:07:32.86 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"
Command switches used :: "C:\Documents and Settings\Administrator\Desktop\combofix.exe"

((((((((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010/01/2007 ))))))))))))))))))))))))))))))))))


2010/01/2007 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2010/01/2007 23:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2010/01/2006 12:08 98,304 --a------ C:\WINDOWS\SYSTEM32\lffax13n.dll
2010/01/2006 12:08 69,632 --a------ C:\WINDOWS\SYSTEM32\lfgif13n.dll
2010/01/2006 12:08 57,344 --a------ C:\WINDOWS\SYSTEM32\lfbmp13n.dll
2010/01/2006 12:08 462,848 --a------ C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2010/01/2006 12:08 450,560 --a------ C:\WINDOWS\SYSTEM32\ltimg13n.dll
2010/01/2006 12:08 401,408 --a------ C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2010/01/2006 12:08 299,008 --a------ C:\WINDOWS\SYSTEM32\ltdis13n.dll
2010/01/2006 12:08 206,336 --a------ C:\WINDOWS\SYSTEM32\ltefx13n.dll
2010/01/2006 12:08 163,840 --a------ C:\WINDOWS\SYSTEM32\ltfil13n.dll
2010/01/2006 12:08 155,648 --a------ C:\WINDOWS\SYSTEM32\lftif13n.dll
2010/01/2006 12:08 1,693,696 --a------ C:\WINDOWS\SYSTEM32\ltclr13n.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2014/11/2002 11:17 179712 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\WLMEL51B.SYS
2011/07/2005 14:46 372480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\BCMWL5.SYS
2010/06/2005 05:09 139528 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
2010/05/2005 01:17 332544 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\srv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"AtiPTA"="Atiptaxx.exe"
"ICSDCLT"="C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\WINDOWS\\SYSTEM32\\ICSDCLT.DLL,ICSClient"
"PMXInit"="C:\\WINDOWS\\SYSTEM32\\PMXINIT.EXE -SetupRunOnce"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"C-Media Mixer"="Mixer.exe /startup"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM32\\E_S10IC2.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"InCD"="C:\\Program Files\\ahead\\InCD\\InCD.exe"
"LoadQM"="loadqm.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 10/01/2007 23:08:17.73
C:\ComboFix2.txt ... 09/01/2007 20:20
C:\ComboFix.txt ... 10/01/2007 23:08




Logfile of HijackThis v1.99.1
Scan saved at 23:18:44, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
e:\Program Files\ewido anti-malware\ewidoctrl.exe
e:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\diana\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\System Mechanic Professional 6\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\System Mechanic Professional 6\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

sfc doesn't run I'm afraid.
Tried it every way I could think of.
A small window flashes up but then dissappears before I can do anything.
Tried it in safe mode.
Only one thing turned up in AVG this time....strange.
I'm getting more and more confused by this as the days go on!

Oh and by the way the name is Felix.
Diana is my mothers name whose computer I am attempting to save from her clutches.
Thanks again for helping and being patient with me.
  • 0

#6
Crustyoldbloke
Posted 10 January 2007 - 06:48 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Felix

I think my learning curve is about to be swept upwards.

This is weird stuff territory, not your normal malware problem.

I think at this stage I would like to check for Rootkits.

Please download: AVG Anti-Rootkit Beta and save it to your desktop.

Double click the file to install it. Accept the licence and follow the prompts to install and reboot. After rebooting, you should see the icon for AVG Anti-Rootkit Beta on your desktop. Double click it to open the programme. You will see a window with 4 buttons at the bottom of it. Click Search For Rootkits and the programme will start a scan, you will see the progress bar moving from left to right. When the scan is complete, a small window will open alerting you to the result. If anything was found, click Save Result To File and post that in your reply.

If nothing was found, please click the Perform in-depth Search saving anything found to file as before.
  • 0

#7
Felix Osborn
Posted 11 January 2007 - 09:56 AM

Felix Osborn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Installed
Rebooted
Attempted to run....
Error..
Oh yay.
Silly windows error report thing came up.
This is all the info it gave me.

----------------------------------------------------------------
AppName: antirootkit.exe AppVer: 1.0.0.13 ModName: mfc71.dll
ModVer: 7.10.3077.0 Offset: 000130c1
----------------------------------------------------------------

This is getting confusing.
  • 0

#8
Crustyoldbloke
Posted 11 January 2007 - 10:05 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Felix

*Crustyoldbloke thinks XP is screwed up!

I think we best look at a system repair.

Please follow this link to instructions on repairing Windows XP. I would advise you to print a copy for easy reference.

Repair Windows XP Topic
  • 0

#9
Felix Osborn
Posted 14 January 2007 - 06:18 PM

Felix Osborn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well thanks for all your help but I think we are just going to back up some esential documents and then format.
Its having real issues.
Oh well. On to try and fix the next computer. That one isn't as bad as this one but its still a little messed up...
Fancy trying on that one?
  • 0

#10
Crustyoldbloke
Posted 14 January 2007 - 06:28 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I don't think you need to do that unless a repair is of no use. It's a bit like calling for an undertaker when you have a cold.

On the subject of your second PC (wealthy family) sure, post a HJT log with an explanation of the problem/s.

Edited by Crustyoldbloke, 14 January 2007 - 06:30 PM.

  • 0

#11
Crustyoldbloke
Posted 26 January 2007 - 02:39 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP