Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Removal [CLOSED]


  • This topic is locked This topic is locked

#1
Victor15

Victor15

    New Member

  • Member
  • Pip
  • 4 posts
I have a computer that somehow it got Trojans and pop outs keep coming out and a little yellow triangle keeps appearing at the bottom right corner. Also it says system alert Trojan Spy. I tried cleaning it with webroot antivirus with antipyware it pops out on the log but it doesn't seem to clean it still stays on my computer.Also pop outs keep telling me to download a software and it keeps opening the internet by itself. Can you please help me get this out of my computer ? :)

Edited by Victor15, 18 June 2008 - 07:48 AM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Victor15

welcome to geekstogo :)

lets get some logs for me to analyse and clean this all up.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply (there may only be one log).

the logs produced may be too long for one post, if so, then post the logs over more than one reply

andrewuk
  • 0

#3
Victor15

Victor15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
i got this from hijackthis





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:03 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Web Technologies\wcs.exe
C:\Program Files\Web Technologies\iebtm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Web Technologies\wcm.exe
C:\Program Files\Web Technologies\iebtmm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {A49E097A-D6EF-4B2F-8B0F-1230E998587F} - C:\Program Files\Web Technologies\iebt.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Web Technologies\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: eulogical - {99f8405b-63d1-421a-83bb-7b4b0642ac28} - (no file)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4015 bytes

Edited by Victor15, 18 June 2008 - 11:17 AM.

  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i am going to need the DSS scan for a full analysis, and i will also need you to do an online scan before we install a proper antivirus program on your machine. the Hijackthis log only provides so much information, i will need more:

====STEP 1====

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

====STEP 2====

Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report
In your next reply could i see:
1. the 2 DSS logs (though there may only be one)
2. the Pandascan log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
Victor15

Victor15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
The first one is the main.txt




Deckard's System Scanner v20071014.68
Run by christian on 2008-06-18 14:08:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-06-18 18:08:26 UTC - RP50 - Deckard's System Scanner Restore Point
38: 2008-06-17 23:16:33 UTC - RP49 - Software Distribution Service 3.0
37: 2008-06-17 23:10:19 UTC - RP48 - Software Distribution Service 3.0
36: 2008-06-17 23:02:15 UTC - RP47 - Software Distribution Service 3.0
35: 2008-06-16 17:18:15 UTC - RP46 - System Checkpoint


-- First Restore Point --
1: 2008-03-29 23:10:59 UTC - RP12 - Installed BabyLuv


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-18 14:10:22
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Web Technologies\wcs.exe
C:\Program Files\Web Technologies\iebtm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Web Technologies\wcm.exe
C:\Program Files\Web Technologies\iebtmm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\christian\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {A49E097A-D6EF-4B2F-8B0F-1230E998587F} - C:\Program Files\Web Technologies\iebt.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Web Technologies\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O22 - SharedTaskScheduler: eulogical - {99f8405b-63d1-421a-83bb-7b4b0642ac28} - (no file)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 4218 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 BRGSp50 (BRGSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\brgsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 ZD1211U(ZyDAS) (ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(ZyDAS)) - c:\windows\system32\drivers\zd1211u.sys <Not Verified; ZyDAS Technology Corporation; ZD1211 802.11b+g USB LAN Adapter>
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_134D&DEV_7897&SUBSYS_0001134D&REV_02\4&24AB0D93&0&50F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_134D&DEV_7897&SUBSYS_0001134D&REV_02\4&24AB0D93&0&50F0
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&264480D3&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&264480D3&0
Service: i8042prt

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: SW\{6C1B9F60-C0A9-11D0-96D8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer:
Name:
PNP Device ID: SW\{6C1B9F60-C0A9-11D0-96D8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-13 22:11:05 1632 --a------ C:\WINDOWS\Tasks\wrSpySweeper_LC87EF9C0FF464426885615679D5F82B8.job


-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-18 11:10:45 0 d-------- C:\Program Files\Trend Micro
2008-06-18 08:56:24 0 d-------- C:\WINDOWS\LastGood
2008-06-17 21:54:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-17 21:54:11 0 d-------- C:\Documents and Settings\christian\Application Data\Mozilla
2008-06-17 19:03:14 0 --a------ C:\Documents and Settings\christian\NULL
2008-06-17 18:40:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-17 18:40:21 125 --a------ C:\tmp.reg
2008-06-17 18:40:09 0 d-------- C:\WINDOWS\system32\214075
2008-06-17 18:39:19 0 d-------- C:\Program Files\Web Technologies
2008-06-14 19:06:04 0 d-------- C:\WINDOWS\ShellNew
2008-06-14 19:04:38 0 d-------- C:\Documents and Settings\christian\Application Data\Microsoft Web Folders
2008-06-13 21:59:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-13 21:58:44 0 d-------- C:\Program Files\Webroot
2008-06-13 21:58:44 0 d-------- C:\Documents and Settings\christian\Application Data\Webroot
2008-06-13 21:58:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-13 21:58:42 0 d-------- C:\Program Files\AskSBar
2008-06-12 10:04:08 0 d-------- C:\Documents and Settings\christian\Application Data\Viewpoint
2008-06-11 22:16:08 0 d-------- C:\Documents and Settings\christian\Application Data\acccore
2008-06-11 22:14:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-11 22:14:32 0 d-------- C:\Program Files\Viewpoint
2008-06-11 22:14:30 0 d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-06-11 22:13:19 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-11 22:13:19 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-11 22:11:57 0 d-------- C:\Program Files\Common Files\AOL
2008-06-11 22:11:36 0 d-------- C:\Program Files\AIM6
2008-06-11 18:34:01 0 d-------- C:\Documents and Settings\christian\Application Data\Flood Light Games
2008-06-11 18:34:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-06-11 18:28:26 0 d-------- C:\Program Files\ReflexiveArcade
2008-06-09 13:05:36 0 d-------- C:\Documents and Settings\christian\Application Data\Lavasoft
2008-06-09 12:49:59 0 d---s---- C:\Documents and Settings\christian\UserData
2008-06-08 10:06:35 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-08 07:55:36 0 d-------- C:\WINDOWS\network diagnostic
2008-06-08 07:55:13 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-07 21:45:34 0 d-------- C:\Documents and Settings\christian\Application Data\Adobe
2008-06-07 21:43:54 0 d-------- C:\WINDOWS\system32\Adobe
2008-06-07 20:29:28 0 d-------- C:\Documents and Settings\christian\Application Data\U3
2008-06-07 17:43:37 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-03 15:26:14 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-03 15:26:14 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-03 15:26:14 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-03 15:26:14 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-03 15:26:14 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-03 15:26:14 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-03 15:26:14 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-03 15:26:14 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-03 15:26:14 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-03 15:26:14 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-03 15:26:13 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-03 15:26:13 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-03 15:26:13 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-03 15:26:13 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-06-17 16:43:22 13312 --a-s---- C:\WINDOWS\system32\funfsnv.dll
2008-06-14 19:06:22 0 d-------- C:\Program Files\Common Files
2008-06-14 19:04:15 0 d-------- C:\Program Files\microsoft frontpage
2008-06-13 21:55:28 0 d-------- C:\Program Files\Arovax AntiSpyware
2008-06-08 13:02:30 0 d-------- C:\Program Files\Messenger
2008-06-08 07:54:42 0 d-------- C:\Program Files\Common Files\Real
2008-06-07 21:45:33 0 d-------- C:\Documents and Settings\christian\Application Data\Macromedia
2008-06-07 20:03:46 0 d-------- C:\Program Files\PlayFirst
2008-05-11 14:26:09 19 --a------ C:\WINDOWS\popcinfo.dat
2008-05-10 15:00:08 49152 --a------ C:\WINDOWS\system32\HCPSST.dll <Not Verified; HexaLock Ltd.; HCPS>
2008-05-10 15:00:08 73728 --a------ C:\WINDOWS\system32\HCPS98Tool.dll <Not Verified; HexaLock Ltd.; HCPS>
2008-05-10 15:00:07 249856 --a------ C:\WINDOWS\system32\HCPSTool.dll <Not Verified; HexaLock Ltd.; HCPS>
2008-05-10 14:57:43 802816 --a------ C:\WINDOWS\feedingfrenzy.scr <Not Verified; Sprout Games, LLC; Feeding Frenzy>
2008-05-10 14:56:58 0 d-------- C:\Program Files\Real
2008-05-10 14:54:07 0 d-------- C:\Documents and Settings\christian\Application Data\PlayFirst
2008-05-10 14:37:37 0 d-------- C:\Program Files\PopCap Games
2008-05-10 14:07:22 0 d-------- C:\Documents and Settings\christian\Application Data\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
06/13/2008 09:58 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A49E097A-D6EF-4B2F-8B0F-1230E998587F}]
06/18/2008 08:45 AM 8192 --a------ C:\Program Files\Web Technologies\iebt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
06/13/2008 09:58 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecoverFromReboot"="C:\WINDOWS\Temp\RecoverFromReboot.exe" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 08:00 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06/06/2008 12:04 PM]
"AUTORUN_VAL"="C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\Web Technologies\wcs.exe
"start"=C:\Program Files\Web Technologies\iebtm.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-18 14:13:01 ------------





This one is the extra txt.



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 254.55 MiB / 37.22 MiB
Pagefile Memory (total/avail): 1009.36 MiB / 678.56 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.06 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.52 GiB total, 4.29 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 31024H1 B - 9.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Spy Sweeper with AntiVirus v5.5.7.103 (Webroot Software Inc)
AV: avast! antivirus 4.8.1201 [VPS 080614-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\System\\Apps\\7AE36A1C-D0D7-44e9-8C5F-8D745BC5425D\\Exec\\sliders.exe"="F:\\System\\Apps\\7AE36A1C-D0D7-44e9-8C5F-8D745BC5425D\\Exec\\sliders.exe:*:Disabled:sliders"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\christian\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DON-9C107DA7D4E
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\christian
LOGONSERVER=\\DON-9C107DA7D4E
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp
USERDOMAIN=DON-9C107DA7D4E
USERNAME=christian
USERPROFILE=C:\Documents and Settings\christian
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

christian (admin)
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
IEBrowse Tool --> "C:\Program Files\Web Technologies\iebtu.exe"
IExplorer Bar --> "C:\Program Files\Web Technologies\iebu.exe"
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PowerDVD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CyberLink\PowerDVD\Uninst.isu"
Puppy Luv --> MsiExec.exe /I{125A502F-2DF9-4948-A6A3-A7491D938CF0}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warning Center --> "C:\Program Files\Web Technologies\wcu.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type454 / Error
Event Submitted/Written: 06/18/2008 11:49:38 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware.exe, version 6.2.0.206, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type453 / Error
Event Submitted/Written: 06/18/2008 11:49:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware.exe, version 6.2.0.206, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type433 / Warning
Event Submitted/Written: 06/17/2008 10:06:36 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type420 / Warning
Event Submitted/Written: 06/17/2008 07:04:54 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type415 / Error
Event Submitted/Written: 06/17/2008 01:09:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.3354, fault address 0x0021d3df.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5558 / Error
Event Submitted/Written: 06/18/2008 01:48:47 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type5541 / Error
Event Submitted/Written: 06/18/2008 08:44:57 AM / 06/18/2008 08:45:27 AM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type5540 / Error
Event Submitted/Written: 06/18/2008 08:44:57 AM / 06/18/2008 08:45:27 AM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type5528 / Error
Event Submitted/Written: 06/18/2008 08:42:58 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
i8042prt

Event Record #/Type5527 / Error
Event Submitted/Written: 06/18/2008 08:42:23 AM / 06/18/2008 08:42:53 AM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.



-- End of Deckard's System Scanner: finished at 2008-06-18 14:13:01 ------------
  • 0

#6
Victor15

Victor15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Those are the two note pads that came out ? is that all i need to do ? :)
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i need to see the pandascan log (see my post #4, step 2).....if that determines that none of your system files are infected then we can get a proper antivirus on your machine and then we can start to remove the infections i can see in your logs :)

andrewuk
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP