[AndersB]

I have followed the pre-posting guide and here are the results (logs)

AVG Anti-Spyware
No reports available

SUPERAntispyware
Panda activescan
HiJackThis

- Se attached files


I have scanned with Norton Internet Security 2008 also

What shall I do now?

Attached Files

•  SUPERAntiSpyware_Scan_Log.txt   130.36KB   162 downloads
•  Activescan.txt   6.47KB   112 downloads
•  hijackthis.log.txt   11.68KB   130 downloads

Edited by AndersB, 22 February 2008 - 10:21 AM.

[Advertisements]

Welcome to GTG.

Was Super AntiSpyware able to remove all the threats it found?

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download AVG Anti-Spyware at http://www.ewido.net/en/download/ and install it.
- Locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the Update icon, then select the Update now link.
- Next select the Start Update button. The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
- Once in the Settings screen click on Recommended actions and then select Quarantine.
- Under Reports, select Automatically generate report after every scan.
- Unselect Only if threats were found.

Close AVG Anti-Spyware. Do not run a scan just yet.

Download ATF Cleaner at http://www.atribune..../click.php?id=1. Don't run it yet.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop. Do not run it yet.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Once in Safe Mode, open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #2 - Clean by typing 2 and press Enter to delete infected files. You will be prompted Registry cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found). Answer Yes by typing Y and press Enter.

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it manually to get back to Normal Mode. A text file will appear onscreen, with results from the cleaning process. Copy and paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

WARNING: Running option #2 on a non infected computer will remove your desktop background.

Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser click Opera at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit Fix checked when ready:

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program\NetProject\sbmntr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Uninstall NetProject via the Add/Remove Programs panel.

Delete this if found:

C:\Program\NetProject\

Run AVG Anti-Spyware.
- Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
- AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

Once the scan is complete do the following:
- If you have any infections you will prompted on what action to take. Select Apply all actions.
- Next select the Reports icon at the top.
- Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Post the rapport.txt, AVG Anti-Spyware report and a new HijackThis log here.

[greyknight17]

Welcome to GTG.

Was Super AntiSpyware able to remove all the threats it found?

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download AVG Anti-Spyware at http://www.ewido.net/en/download/ and install it.
- Locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the Update icon, then select the Update now link.
- Next select the Start Update button. The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
- Once in the Settings screen click on Recommended actions and then select Quarantine.
- Under Reports, select Automatically generate report after every scan.
- Unselect Only if threats were found.

Close AVG Anti-Spyware. Do not run a scan just yet.

Download ATF Cleaner at http://www.atribune..../click.php?id=1. Don't run it yet.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop. Do not run it yet.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Once in Safe Mode, open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #2 - Clean by typing 2 and press Enter to delete infected files. You will be prompted Registry cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found). Answer Yes by typing Y and press Enter.

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it manually to get back to Normal Mode. A text file will appear onscreen, with results from the cleaning process. Copy and paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

WARNING: Running option #2 on a non infected computer will remove your desktop background.

Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser click Opera at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit Fix checked when ready:

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program\NetProject\sbmntr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Uninstall NetProject via the Add/Remove Programs panel.

Delete this if found:

C:\Program\NetProject\

Run AVG Anti-Spyware.
- Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
- AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

Once the scan is complete do the following:
- If you have any infections you will prompted on what action to take. Select Apply all actions.
- Next select the Reports icon at the top.
- Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Post the rapport.txt, AVG Anti-Spyware report and a new HijackThis log here.

[AndersB]

Thanks for taking your time to help us.

SuperAntispyware Quarentined all objects found in the log.

Some questions.

Shall I proceed with the steps in your post even if these objects were quarantined?

In the SmithFraudfix there is a warning that the desktopbackground will be removed on a noninfected computer - does this mean that the "picture" (file) will be deleted or is the properties just changed to "nothing". If I want to keep the background if the computer isn't infected - can I change the background to nothing before I run this fix?

(Through LeifG)

[AndersB]

Correction.
There is no need to keep the background

I've downloaded the needed tools

So I will proceed with the fixes

(Through LeifG)

[AndersB]

I'm back
Here are the results

rapport.txt

SmitFraudFix v2.296Scan done at 22:38:54,71, 2008-02-26Run from C:\Documents and Settings\Anders Br„nnstr”m\Skrivbord\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is FAT32Fix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts127.0.0.1       localhost»»»»»»»»»»»»»»»»»»»»»»»» VACFixVACFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\Program\Helper\ DeletedC:\Program\NetProject\ Deleted»»»»»»»»»»»»»»»»»»»»»»»» IEDFixIEDFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CCS\Services\Tcpip\..\{C78643A7-7E0E-4637-B783-24371188D2B0}: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS1\Services\Tcpip\..\{C78643A7-7E0E-4637-B783-24371188D2B0}: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS2\Services\Tcpip\..\{C78643A7-7E0E-4637-B783-24371188D2B0}: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS3\Services\Tcpip\..\{C78643A7-7E0E-4637-B783-24371188D2B0}: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done.  »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End

Only the O6 entry was present to be fixed with HiJackThis

There were no log generated with AVG - I doublechecked the setttings and they are correct.

AVG found:
- Downloader.Zlob.hku
- Adware.BHO

These were quarantined

Adware.BHO was found in
-restorepoint2

Downloader.Zlob.hku were found in
- restorepoint2
- restorepoint3
- c:\Program\Netproject\sbsm.exe


Here comes the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:41:48, on 2008-02-27Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program\Delade filer\Symantec Shared\ccSvcHst.exeD:\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program\acer\Acer eConsole\MediaServerService.exeC:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program\Delade filer\Symantec Shared\ccSvcHst.exeC:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ctfmon.exeC:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program\MSN Messenger\msnmsgr.exeC:\WINDOWS\System32\svchost.exeC:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exeC:\Program\Internet Explorer\iexplore.exeC:\Program\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LänkarR3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll (file missing)O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_11\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dllO3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ccApp] C:\Program\Delade filer\Symantec Shared\ccApp.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htmO8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?2271b9185a354fb09a9af681f21f0674O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?2271b9185a354fb09a9af681f21f0674O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exeO16 - DPF: {00C1329F-D6C9-46A2-8C3F-23F50977F0A5} - [url="http://www.liquidlab.se/smupdate/stallet/SetupInf.cab"]http://www.liquidlab.se/smupdate/stallet/SetupInf.cab[/url]O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab"]http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab[/url]O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [url="https://webdl.symantec.com/activex/symdlmgr.cab"]https://webdl.symantec.com/activex/symdlmgr.cab[/url]O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - [url="http://game09.zylom.com/activex/zylomgamesplayer.cab"]http://game09.zylom.com/activex/zylomgamesplayer.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\aawservice.exeO23 - Service: Acer Media Server - Acer Inc. - C:\Program\acer\Acer eConsole\MediaServerService.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Security_Service - Unknown owner - C:\WINDOWS\system32\TmrService.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe--End of file - 10726 bytes

Do you have any clue to why AVG doesn't make any reports?

What shall we do now?

AndersB (through LeifG)

[greyknight17]

Not really sure....but as long as you remove the things it finds, you are ok. Will try to look into why this happens.

Uninstall the Java version you have there. Restart the computer and install the latest one here.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[AndersB]

Java updated

There seems to be no symtoms off malware.

But there are some entries in the HiJackThis log that looks strange. I've highligthed them in the following new logfile

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:58:36, on 2008-02-28Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program\Delade filer\Symantec Shared\ccSvcHst.exeD:\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program\acer\Acer eConsole\MediaServerService.exeC:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program\Delade filer\Symantec Shared\ccSvcHst.exeC:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program\MSN Messenger\msnmsgr.exeC:\Program\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\Program\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar<strong class='bbc'>R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)</strong>O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll<strong class='bbc'>O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll (file missing)</strong>O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll<strong class='bbc'>O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)</strong>O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll<strong class='bbc'>O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)</strong>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dllO3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ccApp] C:\Program\Delade filer\Symantec Shared\ccApp.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htmO8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?2271b9185a354fb09a9af681f21f0674O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?2271b9185a354fb09a9af681f21f0674O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exeO16 - DPF: {00C1329F-D6C9-46A2-8C3F-23F50977F0A5} - [url="http://www.liquidlab.se/smupdate/stallet/SetupInf.cab"]http://www.liquidlab.se/smupdate/stallet/SetupInf.cab[/url]O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab"]http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab[/url]O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [url="https://webdl.symantec.com/activex/symdlmgr.cab"]https://webdl.symantec.com/activex/symdlmgr.cab[/url]O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - [url="http://game09.zylom.com/activex/zylomgamesplayer.cab"]http://game09.zylom.com/activex/zylomgamesplayer.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\aawservice.exeO23 - Service: Acer Media Server - Acer Inc. - C:\Program\acer\Acer eConsole\MediaServerService.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exeO23 - Service: Security_Service - Unknown owner - C:\WINDOWS\system32\TmrService.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe--End of file - 10812 bytes

What about these enries?

AndersB (through LeifG)

Edited by AndersB, 28 February 2008 - 01:30 PM.

[greyknight17]

Do you use that SweetIM program? If not, uninstall it via the Add/Remove Programs panel if found Then fix them in HijackThis. For the other entry with (no file) only, it's related to Windows Live Messenger. You may fix it if you want, no harm either way.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.