Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Danger Spyware on Desktop - me too :(


  • Please log in to reply

#1
glas002

glas002

    New Member

  • Member
  • Pip
  • 7 posts
HI there everyone. Greetings from the alpine resort town of Queenstown, New Zealand. Like Serphis and other members before me, I too have fallen victim to this one on my home pc. I have a destop spyware danger warning linking to SmartSecurity website and continue to experience automated requests to connect to other sites on the web. Also, I can't right-click remaining desktop icons. New icons for downloads since infection, duplicate on desktop. :tazz: PLEEEEZE

I am so pleased to have discovered your site and like many before me, will greatly appreciate your assistance in combating this problem. Thanking you advance.

I have followed all the pre-requisite steps outlined by your site to the letter: downloaded and put AdAware, CWShredder, Spybot and AVG through their respective paces as instructed, followed by an online scan with Panda's ActiveScan.
Updated security patches and ran HiJack This - which produced the log below:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:04 PM, on 4/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Alcatel\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\System32\aonu.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\windows\drexinit.dll (file missing)
O2 - BHO: (no name) - {B1B308B2-9607-C8A6-2731-C8A9389F5DC6} - C:\windows\System32\uwrkosu.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O2 - BHO: (no name) - {C9C36654-9873-42AD-BAE7-C5DBF6165B16} - C:\windows\System32\phcnaaa.dll (file missing)
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Kqn] C:\windows\Cro.exe
O4 - HKLM\..\Run: [Poe] C:\windows\Krk.exe
O4 - HKLM\..\Run: [Tts] C:\windows\Tgf.exe
O4 - HKLM\..\Run: [Skk] C:\windows\Fre.exe
O4 - HKLM\..\Run: [Sdn] C:\windows\Ake.exe
O4 - HKLM\..\Run: [Jdi] C:\windows\Knr.exe
O4 - HKLM\..\Run: [Sfo] C:\windows\Boq.exe
O4 - HKLM\..\Run: [Usp] C:\windows\Kcq.exe
O4 - HKLM\..\Run: [Nav] C:\windows\Hvu.exe
O4 - HKLM\..\Run: [Dur] C:\windows\Pmd.exe
O4 - HKLM\..\Run: [Kms] C:\windows\Bsv.exe
O4 - HKLM\..\Run: [Fcv] C:\windows\Pvc.exe
O4 - HKLM\..\Run: [Lhb] C:\windows\Con.exe
O4 - HKLM\..\Run: [Jee] C:\windows\Oeq.exe
O4 - HKLM\..\Run: [Npi] C:\windows\Eae.exe
O4 - HKLM\..\Run: [Sir] C:\windows\System32\Hpj.exe
O4 - HKLM\..\Run: [Mtn] C:\windows\Tgs.exe
O4 - HKLM\..\Run: [Uim] C:\windows\Bqg.exe
O4 - HKLM\..\Run: [Ssa] C:\windows\Ghg.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [Ual] C:\windows\Qrc.exe
O4 - HKLM\..\Run: [Ess] C:\windows\Bbo.exe
O4 - HKLM\..\Run: [Qqk] C:\windows\Onv.exe
O4 - HKLM\..\Run: [Nmm] C:\windows\Ovo.exe
O4 - HKLM\..\Run: [Ide] C:\windows\Bai.exe
O4 - HKLM\..\Run: [Chj] C:\windows\Bsa.exe
O4 - HKLM\..\Run: [Ehh] C:\windows\Fmu.exe
O4 - HKLM\..\Run: [Fch] C:\windows\Qgk.exe
O4 - HKLM\..\Run: [Srp] C:\windows\Qsp.exe
O4 - HKLM\..\Run: [Qlp] C:\windows\Imr.exe
O4 - HKLM\..\Run: [Umg] C:\windows\Pdk.exe
O4 - HKLM\..\Run: [Rpv] C:\windows\Gfa.exe
O4 - HKLM\..\Run: [Uub] C:\windows\Hhv.exe
O4 - HKLM\..\Run: [Gpe] C:\windows\Ekb.exe
O4 - HKLM\..\Run: [Nik] C:\windows\Rbk.exe
O4 - HKLM\..\Run: [Mvg] C:\windows\Ugr.exe
O4 - HKLM\..\Run: [Jbn] C:\windows\Lgh.exe
O4 - HKLM\..\Run: [Dgl] C:\windows\Geb.exe
O4 - HKLM\..\Run: [Ita] C:\windows\Okv.exe
O4 - HKLM\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKLM\..\Run: [Opd] C:\windows\Fop.exe
O4 - HKLM\..\Run: [Tgr] C:\windows\Rog.exe
O4 - HKLM\..\Run: [Fon] C:\windows\Cnf.exe
O4 - HKLM\..\Run: [Gtm] C:\windows\Ujd.exe
O4 - HKLM\..\Run: [Dlu] C:\windows\Tdn.exe
O4 - HKLM\..\Run: [Mca] C:\windows\Nig.exe
O4 - HKLM\..\Run: [Ldh] C:\windows\Tjk.exe
O4 - HKLM\..\Run: [Fqk] C:\windows\Vmg.exe
O4 - HKLM\..\Run: [Bmb] C:\windows\Gfe.exe
O4 - HKLM\..\Run: [Oqt] C:\windows\Jss.exe
O4 - HKLM\..\Run: [Php] C:\windows\Drm.exe
O4 - HKLM\..\Run: [Vnl] C:\windows\Slc.exe
O4 - HKLM\..\Run: [Dhd] C:\windows\Ssc.exe
O4 - HKLM\..\Run: [Tjn] C:\windows\Ucf.exe
O4 - HKLM\..\Run: [Rdt] C:\windows\Orn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Vaa] C:\windows\System32\Umk.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\windows\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Kqn] C:\windows\Cro.exe
O4 - HKCU\..\Run: [Toti] C:\windows\System32\aonu.exe
O4 - HKCU\..\Run: [Auiyjtc] C:\windows\System32\t?skmgr.exe
O4 - HKCU\..\Run: [Poe] C:\windows\Krk.exe
O4 - HKCU\..\Run: [Tts] C:\windows\Tgf.exe
O4 - HKCU\..\Run: [Skk] C:\windows\Fre.exe
O4 - HKCU\..\Run: [Sdn] C:\windows\Ake.exe
O4 - HKCU\..\Run: [Jdi] C:\windows\Knr.exe
O4 - HKCU\..\Run: [Sfo] C:\windows\Boq.exe
O4 - HKCU\..\Run: [Usp] C:\windows\Kcq.exe
O4 - HKCU\..\Run: [Nav] C:\windows\Hvu.exe
O4 - HKCU\..\Run: [Dur] C:\windows\Pmd.exe
O4 - HKCU\..\Run: [Kms] C:\windows\Bsv.exe
O4 - HKCU\..\Run: [Fcv] C:\windows\Pvc.exe
O4 - HKCU\..\Run: [Lhb] C:\windows\Con.exe
O4 - HKCU\..\Run: [Jee] C:\windows\Oeq.exe
O4 - HKCU\..\Run: [Npi] C:\windows\Eae.exe
O4 - HKCU\..\Run: [Sir] C:\windows\System32\Hpj.exe
O4 - HKCU\..\Run: [Mtn] C:\windows\Tgs.exe
O4 - HKCU\..\Run: [Uim] C:\windows\Bqg.exe
O4 - HKCU\..\Run: [Ssa] C:\windows\Ghg.exe
O4 - HKCU\..\Run: [Ual] C:\windows\Qrc.exe
O4 - HKCU\..\Run: [Ess] C:\windows\Bbo.exe
O4 - HKCU\..\Run: [Qqk] C:\windows\Onv.exe
O4 - HKCU\..\Run: [Nmm] C:\windows\Ovo.exe
O4 - HKCU\..\Run: [Ide] C:\windows\Bai.exe
O4 - HKCU\..\Run: [Chj] C:\windows\Bsa.exe
O4 - HKCU\..\Run: [Ehh] C:\windows\Fmu.exe
O4 - HKCU\..\Run: [Fch] C:\windows\Qgk.exe
O4 - HKCU\..\Run: [Srp] C:\windows\Qsp.exe
O4 - HKCU\..\Run: [Qlp] C:\windows\Imr.exe
O4 - HKCU\..\Run: [Umg] C:\windows\Pdk.exe
O4 - HKCU\..\Run: [Uub] C:\windows\Hhv.exe
O4 - HKCU\..\Run: [Gpe] C:\windows\Ekb.exe
O4 - HKCU\..\Run: [Nik] C:\windows\Rbk.exe
O4 - HKCU\..\Run: [Mvg] C:\windows\Ugr.exe
O4 - HKCU\..\Run: [Jbn] C:\windows\Lgh.exe
O4 - HKCU\..\Run: [Dgl] C:\windows\Geb.exe
O4 - HKCU\..\Run: [Ita] C:\windows\Okv.exe
O4 - HKCU\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKCU\..\Run: [Opd] C:\windows\Fop.exe
O4 - HKCU\..\Run: [Tgr] C:\windows\Rog.exe
O4 - HKCU\..\Run: [Fon] C:\windows\Cnf.exe
O4 - HKCU\..\Run: [Dlu] C:\windows\Tdn.exe
O4 - HKCU\..\Run: [Mca] C:\windows\Nig.exe
O4 - HKCU\..\Run: [Ldh] C:\windows\Tjk.exe
O4 - HKCU\..\Run: [Bmb] C:\windows\Gfe.exe
O4 - HKCU\..\Run: [Oqt] C:\windows\Jss.exe
O4 - HKCU\..\Run: [Php] C:\windows\Drm.exe
O4 - HKCU\..\Run: [Vnl] C:\windows\Slc.exe
O4 - HKCU\..\Run: [Dhd] C:\windows\Ssc.exe
O4 - HKCU\..\Run: [Tjn] C:\windows\Ucf.exe
O4 - HKCU\..\Run: [Rdt] C:\windows\Orn.exe
O4 - HKCU\..\Run: [Vaa] C:\windows\System32\Umk.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113370532224
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  • 0

Advertisements


#2
glas002

glas002

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I haven't had any replies (yet) to my original post BUT through this forum I believe I have found the solution to removing advert etc from desktop. I'm so pleased I found this site !!! ;) Thank you for making it available ;)

THANKS HEAPS to member rahul sardesai for posting the Freeclean desktop removal supplied to him from SmartSecurity. :)

For me too, it removed the advert from my desktop and restored my usual icons - all now with full right-click functionality. (phew!)

For the benefit of others searching and awaiting a solution who have already performed prerequisite scans as instructed you may copy and paste url

http://www.smart-sec...fo/removal.html

Just to check I'm in the clear I will post a new HighjackThis log for confirmation in my next post. I would really appreciate someone getting back to me :tazz: as, like rahul, I couldn't help wondering if there was a catch - but I suspect that's just the pysche still recovering from the intrusion. I would really appreciate your feedback.

Thanks again for a fantastic site and community
  • 0

#3
glas002

glas002

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Log looks pretty much the same but at least have desktop back and for the moment all else under management while awaiting your feedback. Please advise asap - I'd really appreciate it. ;) ;) :tazz:

log#2 Here 'tis : -

Logfile of HijackThis v1.99.1
Scan saved at 2:47:22 PM, on 4/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Alcatel\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\System32\aonu.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\windows\drexinit.dll (file missing)
O2 - BHO: (no name) - {B1B308B2-9607-C8A6-2731-C8A9389F5DC6} - C:\windows\System32\uwrkosu.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O2 - BHO: (no name) - {C9C36654-9873-42AD-BAE7-C5DBF6165B16} - C:\windows\System32\phcnaaa.dll (file missing)
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\windows\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Toti] C:\windows\System32\aonu.exe
O4 - HKCU\..\Run: [Auiyjtc] C:\windows\System32\t?skmgr.exe
O4 - HKCU\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113370532224
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  • 0

#4
glas002

glas002

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Update: Desktop still stable (so far) but still have spyware and adware infections etc - occassional requests from unknown progs to connect to the net.

I've put Adaware, cdshedder, spybot and AVG through their paces again and then did online scan with Panda ActiveScan which id's more and this time at least managed to eliminate the trojan Agent.OK

Subsequent AcvtiveScan log reveals the rest so thought it might help to post it here in addition to preious HijackThis Log.

Keen to get some feedback on these while their still within the realms of "can-do"

grateful & patient - will anyone answer :tazz: ??

ActiveScan Report 14/04/05

Adware:Adware/PurityScan No disinfected C:\windows\System32\aonu.exe
Adware:Adware/Apropos No disinfected C:\DOCUME~1\noeline\LOCALS~1\Temp\cfout.txt
Adware:Adware/SideFind No disinfected Windows Registry
Spyware:Spyware/MarketScore No disinfected C:\windows\System32\osconfig.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\windows\System32\dsmanager.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\aonu.exe
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/FunWeb No disinfected C:\WINDOWS\system32\f3PSSavr.scr
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Ppd.html
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Fhr.html
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Imb.html
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Hre.html
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Dks.html
Adware:Adware/SaveNow No disinfected C:\Documents and Settings\noeline\Local Settings\Temp\VVSN_FRZE1001Inst.exe
Virus:Trj/Agent.OK Disinfected C:\Documents and Settings\noeline\Local Settings\Temp\tr21.exe
Virus:Trj/Agent.OK Disinfected C:\Documents and Settings\noeline\Local Settings\Temporary Internet Files\Content.IE5\KOVHX6SI\web[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Adware:Adware/FunWeb No disinfected C:\Program Files\MSN Messenger\riched20.dll
Adware:Adware/PowerScan No disinfected C:\FOUND.000\FILE0009.CHK
Adware:Adware/PowerScan No disinfected C:\FOUND.000\FILE0032.CHK
Adware:Adware/PurityScan No disinfected C:\FOUND.000\FILE0041.CHK
Spyware:Spyware/BargainBuddy No disinfected C:\package_adp_SIAC.exe
  • 0

#5
glas002

glas002

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
DAY 3 - (sheesh!):tazz:

I have put usual scanners through their paces & others such as kill2me/AboutBuster/HSremove etc etc.

Looked at logs and decided to delete everything that a search in c:\windows\System32\drivers\etc\hosts produced. No detriment ;)

rebooted and ran new HighjackThis - log below - would really appreciate some feedback ;)

Logfile of HijackThis v1.99.1
Scan saved at 7:52:37 PM, on 4/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Alcatel\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\System32\aonu.exe
C:\Program Files\Malware Removal Tools\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\System32\svchost.exe
C:\Program Files\Malware Removal Tools\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Malware Removal Tools\Spybot S&D\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\windows\drexinit.dll (file missing)
O2 - BHO: (no name) - {B1B308B2-9607-C8A6-2731-C8A9389F5DC6} - C:\windows\System32\uwrkosu.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O2 - BHO: (no name) - {C9C36654-9873-42AD-BAE7-C5DBF6165B16} - C:\windows\System32\phcnaaa.dll (file missing)
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-nz\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-nz\msnappau.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\windows\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Toti] C:\windows\System32\aonu.exe
O4 - HKCU\..\Run: [Auiyjtc] C:\windows\System32\t?skmgr.exe
O4 - HKCU\..\Run: [ntkrnlpb] C:\windows\System32 .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Malware Removal Tools\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113370532224
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1404692F-C0EF-4807-9C98-28EDDF6D55AE}: NameServer = 202.27.158.40 202.27.156.72
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  • 0

#6
glas002

glas002

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
UPDATE: :tazz:

Through another site found a good HighjackThis Tutorial and after going through that and making some determinations, I also found an online automated analysis tool for HighjackThis logs. It arrived at the same determinations I had - so took that as confirmation - and ran a fix etc. ;)

Will follow advice in other threads regarding system tidy and future security.

PS: thought about posting final log but since I haven't had a response at all, it seems a redundant courtesy.
ALSO: fyi - Developer of the automated anaysis tool :) got the dosh this time.
;)

Good luck 2yall.
  • 0

#7
borafa

borafa

    New Member

  • Member
  • Pip
  • 4 posts
hi glas,

sorry that i will not be able to help you but maybe you can help me by providing me some info about the whereabouts of the hijack this tutorial and the online automated analysis tool for hijackthis logs you mentioned in your last post. i sort of got the same problem as you do and just posted my hijackthis log in another thread but considering u havent had a reply in 3 days it seems smart to explore this subject by myself.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP