Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.smitfraud.c


  • Please log in to reply

#1
Fboy

Fboy

    Member

  • Member
  • PipPip
  • 12 posts
Hi i do something what i read in other topics.... but i think is better i show my hijack log


Logfile of HijackThis v1.98.2
Scan saved at 12:26:44, on 18/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ARQUIV~1\DAP\DAP.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.625\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.12.209.9:80
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] C:\ARQUIV~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESFTP] C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106317637792
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C996BD73-2098-4ED7-B11A-2ED646234A56}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
  • 0

Advertisements


#2
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
can someone help me???
  • 0

#3
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Fboy and welcome
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

List any files going to be deleted that are running

Exit Task Manager.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!


Post a new HiJackThis log.
  • 0

#4
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.98.2
Scan saved at 16:32:45, on 19/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ARQUIV~1\DAP\DAP.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.828\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.12.209.9:80
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] C:\ARQUIV~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESFTP] C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\ARQUIV~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106317637792
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C996BD73-2098-4ED7-B11A-2ED646234A56}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
  • 0

#5
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry about that Fboy I missed one step in the prior instructions, I will post the instructions again , Please disreagrd my previous reply, And carefully go through the following, Be sure not to skip any of the steps please,

Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please

Of course after you have run through the following,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

wp.exe

Exit Task Manager.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log.
  • 0

#6
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
what exactly i must post? the text of the silent runners?
i cant enter in the folder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

he enter like a http:// folder
  • 0

#7
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
within the folder you will see a text file click on it , It should open in notebook copy and paste the contents of it here please
  • 0

#8
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]
"ESFTP" = "C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP" [file not found]
"WindowsFY" = "c:\wp.exe" [file not found]
"MessengerPlus3" = ""C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = ""C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"avast!" = "C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"Smapp" = "C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"DownloadAccelerator" = "C:\ARQUIV~1\DAP\DAP.EXE /STARTUP" ["Speedbit Ltd."]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"TkBellExe" = ""C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"MessengerPlus3" = ""C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIV~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\SmartFTP\smarthook.dll" ["SmartFTP"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"SystemCheck2" = "{54645654-2225-4455-44A1-9F4543D34545}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\vbsys2.dll" [file not found]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\wp.bmp"


Startup items in "Usuario" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
"Adobe Gamma Loader" -> shortcut to: "C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"hp psc 1000 series" -> shortcut to: "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1200 series#1106952726" -> launches: "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1106952726"" [empty string]
"WebReg 20050129205306" -> launches: "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20050129205306 /N "HP psc 1200 Series" /M Q1662A /S BR43E4G0SW5H /AP 303 /F /T " ["Hewlett-Packard Co."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}"
-> {CLSID}\(Default) = "FlashGet Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIV~1\FlashGet\fgiebar.dll" ["Amaze Soft"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "C:\ARQUIV~1\FlashGet\flashget.exe" ["Amaze Soft"]

{F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Arquivos de programas\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

C:\WINDOWS\system32\Drivers\Etc\HOSTS

maps: 16 domain names to IP addresses,
15 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#9
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Couple items to go but I need to see a fresh HJT log please
  • 0

#10
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.98.2
Scan saved at 12:16:24, on 20/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ARQUIV~1\DAP\DAP.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.718\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.12.209.9:80
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] C:\ARQUIV~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESFTP] C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106317637792
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C996BD73-2098-4ED7-B11A-2ED646234A56}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
  • 0

Advertisements


#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again
  • You are running an out-of-date version of HijackThis; can you please download a new copy (there is a link in my signature), unzip it, and replace your existing copy with the new version.

    Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder.











  • Please set your system to show
    all files; please see here if you're unsure how to do this.









  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    O1 - Hosts: 69.50.173.4 lycos.com
    O1 - Hosts: 69.50.173.4 amazon.com
    O1 - Hosts: 69.50.173.4 www.amazon.com
    O1 - Hosts: 69.50.173.4 aol.com
    O1 - Hosts: 69.50.173.4 www.aol.com
    O1 - Hosts: 69.50.173.4 earthlink.net
    O1 - Hosts: 69.50.173.4 www.earthlink.net
    O1 - Hosts: 69.50.173.4 ebay.com
    O1 - Hosts: 69.50.173.4 www.ebay.com
    O1 - Hosts: 69.50.173.4 go.com
    O1 - Hosts: 69.50.173.4 www.go.com
    O1 - Hosts: 69.50.173.4 icq.com
    O1 - Hosts: 69.50.173.4 www.icq.com
    O1 - Hosts: 69.50.173.4 lycos.com
    O1 - Hosts: 69.50.173.4 yahoo.com
    O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F3B58DD2-C5B9-4EDD-887C-27DB85DA8EE2} - (no file) (HKCU)
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)


    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:


    C:\WINDOWS\System32\vbsys2.dll

    Exit Explorer, and reboot as normal afterwards.




    Download Pocket Killbox and unzip it; save it to your Desktop.

    Run it, and click the radio button that says Delete a file on reboot. Please enter the following

    c:\wp.exe
    C:\wp.bmp



    ,paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

    The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

    Let the system reboot.
Post back a fresh HijackThis log and we will take another look.
  • 0

#12
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
there is... i coundt found vbsys2.dll



Logfile of HijackThis v1.99.1
Scan saved at 11:10:48, on 21/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ARQUIV~1\DAP\DAP.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.12.209.9:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] C:\ARQUIV~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Arquivos de programas\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESFTP] C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106317637792
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C996BD73-2098-4ED7-B11A-2ED646234A56}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again
  • Please go to Add/Remove programs search for and remove if found please


    Security iGuard












  • Please set your system to show
    all files; please see here if you're unsure how to do this.










  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    O4 - HKLM\..\Run: [Security iGuard] C:\Arquivos de programas\Security iGuard\Security iGuard.exe

    Click on Fix Checked when finished and exit HijackThis.

  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\Arquivos de programas\Security iGuard\Security iGuard.exe

    Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
  • 0

#14
Fboy

Fboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.99.1
Scan saved at 09:04:30, on 22/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ARQUIV~1\DAP\DAP.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.12.209.9:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] C:\ARQUIV~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESFTP] C:\Arquivos de programas\ESFTP.COM\ESFTP\esftp.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106317637792
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C996BD73-2098-4ED7-B11A-2ED646234A56}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{1971915E-712F-4A2C-B16B-5098A10A2F44}: NameServer = 201.10.120.2 201.10.128.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#15
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP