Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer infected: please help!

Started by shepDoggieDog , May 19 2005 07:25 PM

  • Please log in to reply

#1
shepDoggieDog
Posted 19 May 2005 - 07:25 PM

shepDoggieDog

    New Member

  • Member
  • Pip
  • 8 posts
Hi there!

My computer became infected with Trojan-Spy.HTML.Smitfraud.c. I have been combing the existing posts on this website and have followed many intructions to eliminate the problem, including Adaware, Spybot S&D, Cleanup!, Panda, AVG Antivirus, Ewido Security Suite and more. Each tool found and eliminated something.

I originally had Trend Micro Security Suite installed. Somehow this got disabled and would not run. As well, Adaware and Spybot S&D (already installed) would not run. I am now able to run them.

There still seems to be some issues with the machine, as it is slow and not acting 100%.

Below is my HijackThis log. Note that my boot drive is f: (not c:).

PLEASE HELP!

Cheers,
ShepDoggieDog



Logfile of HijackThis v1.99.1
Scan saved at 9:17:24 PM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\ntvdm.exe
F:\WINDOWS\system32\ntvdm.exe
F:\WINDOWS\System32\taskmgr.exe
F:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\Kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] F:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [mlifaap] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [sfmacma] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [kfnrwcw] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [jucrgtm] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ufgoegp] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ahbfnum] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [iflmkju] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ifddjdg] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [crxcjrt] f:\windows\cxyvfxf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {62C9AA00-6F2E-44D5-8887-074DFF625D10} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62C9AA00-6F2E-44D5-8887-074DFF625D10} - (no file) (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {7C3F7875-20CB-5265-1C9D-32EE72E6FC94} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C8233FE-4BF3-4947-BD5A-B9884A53ECAC}: NameServer = 206.47.244.8,198.235.216.115
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

Advertisements

#2
dispn0ygonekrazy
Posted 31 May 2005 - 07:06 PM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
Hi Shepdoggiedog I'm dispn0ygonekrazy and I'll be helping you today, im sorry your post has been not answered this long it was probably overlooked .
  • 0

#3
dispn0ygonekrazy
Posted 31 May 2005 - 07:34 PM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
Hi Shepdoggiedog,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

F:\wp.exe
F:\wp.bmp
F:\bsw.exe
F:\Windows\sites.ini
F:\Windows\popuper.exe
F:\Windows\system32\hhk.dll
F:\Windows\System32\wldr.dll
F:\Windows\system32\perfcii.ini
F:\Windows\System32\helper.exe
F:\Windows\System32\shnlog.exe
F:\Windows\System32\intmon.exe
F:\Windows\System32\intmonp.exe
F:\Windows\System32\msmsgs.exe
F:\Windows\system32\msole32.exe
F:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

F:\Program Files\Search Maid
F:\Program Files\Virtual Maid
F:\Windows\System32\LogFiles
F:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)

O4 - HKCU\..\Run: [mlifaap] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [sfmacma] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [kfnrwcw] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [jucrgtm] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ufgoegp] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ahbfnum] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [iflmkju] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [ifddjdg] f:\windows\cxyvfxf.exe
O4 - HKCU\..\Run: [crxcjrt] f:\windows\cxyvfxf.exe

O9 - Extra button: Microsoft AntiSpyware helper - {62C9AA00-6F2E-44D5-8887-074DFF625D10} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62C9AA00-6F2E-44D5-8887-074DFF625D10} - (no file) (HKCU)

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

Edited by Jfcap, 31 May 2005 - 07:50 PM.

  • 0

#4
dispn0ygonekrazy
Posted 03 June 2005 - 09:59 PM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
another stale one rock
  • 0

#5
shepDoggieDog
Posted 04 June 2005 - 04:38 AM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
No, not stale! I'm just REALLY busy with work, renovations to a house and a kid!

ShepDoggieDog
  • 0

#6
dispn0ygonekrazy
Posted 04 June 2005 - 07:53 AM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
All right ill ask therock to reopen so i can still help you, after 4 days with no reply its known as stale.
  • 0

#7
shepDoggieDog
Posted 05 June 2005 - 08:39 AM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi there! This is the Panda ActiveScan report. Comparing to a log that was taken some time ago, there are more items on it now. I re-ran Adaware 1.0.5 with the latest definition file but it did not find anything new. I will post the HijackThis! log in a separate post.

Cheers,
ShepDoggieDog




Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Findspy No disinfected F:\Documents and Settings\Administrator\Favorites\ Free Hidden Cams World - Realtime.url
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WIN98\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Spyware:Spyware/LocalNRD No disinfected C:\WIN98\inf\localNrd.inf
Adware:Adware/IPInsight No disinfected C:\WIN98\inf\conscorr.inf
Adware:Adware/Gator No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL4V8R07\hdplugin_1019_bundle43v2d33[1].cab[HDPlugin1019.dll]
Adware:Adware/Gator No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL4V8R07\hdplugin_1019_bundle33v1d33[1].cab
Adware:Adware/Gator No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL4V8R07\hdplugin_1019_bundle33v1d33[1].cab[HDPlugin1019.dll]
Spyware:Spyware/LocalNRD No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\THI6415.tmp\localNrd.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\conscorr.ini
Adware:Adware/FunWeb No disinfected C:\Documents and Settings\Robert Bierman\Local Settings\Temp\ICD2.tmp\f3initialsetup1.0.0.8-2.inf
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{7CDD5A49-1307-4D85-BD67-EF598CB177F0}\RP1020\A0120471.EXE
Adware:Adware/Kudd No disinfected C:\System Volume Information\_restore{7CDD5A49-1307-4D85-BD67-EF598CB177F0}\RP1022\A0120537.exe
Spyware:Spyware/Overpro No disinfected C:\System Volume Information\_restore{7CDD5A49-1307-4D85-BD67-EF598CB177F0}\RP1022\A0120542.exe
Adware:Adware/VirtualBouncer No disinfected C:\System Volume Information\_restore{7CDD5A49-1307-4D85-BD67-EF598CB177F0}\RP1022\A0120543.exe
Adware:Adware/Kudd No disinfected C:\System Volume Information\_restore{7CDD5A49-1307-4D85-BD67-EF598CB177F0}\RP1023\A0120662.exe
Adware:Adware/Findspy No disinfected F:\Documents and Settings\Administrator\Favorites\ Free Hidden Cams World - Realtime.url
Adware:Adware/Findspy No disinfected F:\Documents and Settings\Administrator\Favorites\ Free Spy Cam - Realtime.url
Possible Virus. No disinfected F:\WINDOWS\system32\grapiles.exe
Virus:Trj/Downloader.CVJ Disinfected F:\WINDOWS\system32\hybuaaaa.exe
  • 0

#8
shepDoggieDog
Posted 05 June 2005 - 08:42 AM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi There! Below is the HijackThis! log, taken moments ago. I shut down all applications and windows before running. Log looks a lot cleaner.

Cheers,
Shep


Logfile of HijackThis v1.99.1
Scan saved at 10:41:05 AM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
F:\Program Files\HiJackThis!\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\Kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] F:\Program Files\Messenger\msmsgs.exe /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {7C3F7875-20CB-5265-1C9D-32EE72E6FC94} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C8233FE-4BF3-4947-BD5A-B9884A53ECAC}: NameServer = 206.47.244.8,198.235.216.115
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#9
dispn0ygonekrazy
Posted 05 June 2005 - 06:14 PM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
Hi ShepDoggieDog,

You are running an out of date Ad-Aware please download the new 1.0.6 install, update the definitions and run a full system scan.
Save the log from the scan and post a new log along with HJT and Ad-Aware.
  • 0

#10
shepDoggieDog
Posted 05 June 2005 - 09:28 PM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Your wish...

Ad-Aware was updated. The scan config was set as recommended on the geekstogo.com website. Logfile is below.

HJT log to follow in next post.

Cheers,
Shep



Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, June 05, 2005 9:54:00 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):28 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-5-2005 9:54:00 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 480
ThreadCreationTime : 6-5-2005 2:54:19 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\F:\WINDOWS\system32\csrss.exe
Command Line : F:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 540
ThreadCreationTime : 6-5-2005 2:54:22 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\F:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 564
ThreadCreationTime : 6-5-2005 2:54:24 AM
BasePriority : High


#:4 [services.exe]
ModuleName : F:\WINDOWS\system32\services.exe
Command Line : F:\WINDOWS\system32\services.exe
ProcessID : 608
ThreadCreationTime : 6-5-2005 2:54:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : F:\WINDOWS\system32\lsass.exe
Command Line : F:\WINDOWS\system32\lsass.exe
ProcessID : 620
ThreadCreationTime : 6-5-2005 2:54:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : F:\WINDOWS\system32\svchost.exe
Command Line : F:\WINDOWS\system32\svchost -k rpcss
ProcessID : 912
ThreadCreationTime : 6-5-2005 2:54:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : F:\WINDOWS\System32\svchost.exe
Command Line : F:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 964
ThreadCreationTime : 6-5-2005 2:54:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : F:\WINDOWS\System32\svchost.exe
Command Line : F:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1048
ThreadCreationTime : 6-5-2005 2:54:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : F:\WINDOWS\System32\svchost.exe
Command Line : F:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1064
ThreadCreationTime : 6-5-2005 2:54:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
ModuleName : F:\WINDOWS\system32\spoolsv.exe
Command Line : F:\WINDOWS\system32\spoolsv.exe
ProcessID : 1288
ThreadCreationTime : 6-5-2005 2:54:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [explorer.exe]
ModuleName : F:\WINDOWS\Explorer.EXE
Command Line : F:\WINDOWS\Explorer.EXE
ProcessID : 1608
ThreadCreationTime : 6-5-2005 2:54:39 AM
BasePriority : Normal
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [avgamsvr.exe]
ModuleName : F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1644
ThreadCreationTime : 6-5-2005 2:54:40 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
ModuleName : F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1704
ThreadCreationTime : 6-5-2005 2:54:40 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [ewidoctrl.exe]
ModuleName : F:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "F:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1752
ThreadCreationTime : 6-5-2005 2:54:41 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:15 [svchost.exe]
ModuleName : F:\WINDOWS\System32\svchost.exe
Command Line : F:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 1904
ThreadCreationTime : 6-5-2005 2:54:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [jusched.exe]
ModuleName : F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
Command Line : "F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
ProcessID : 216
ThreadCreationTime : 6-5-2005 2:54:50 AM
BasePriority : Normal


#:17 [qttask.exe]
ModuleName : F:\Program Files\QuickTime\qttask.exe
Command Line : "F:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 260
ThreadCreationTime : 6-5-2005 2:54:53 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:18 [avgcc.exe]
ModuleName : F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 312
ThreadCreationTime : 6-5-2005 2:54:54 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:19 [avgemc.exe]
ModuleName : F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 324
ThreadCreationTime : 6-5-2005 2:54:54 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:20 [msmsgs.exe]
ModuleName : F:\Program Files\Messenger\msmsgs.exe
Command Line : "F:\Program Files\Messenger\msmsgs.exe" /background
ProcessID : 332
ThreadCreationTime : 6-5-2005 2:54:54 AM
BasePriority : Normal
FileVersion : 4.7.2010
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:21 [jucheck.exe]
ModuleName : F:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
Command Line : -auto
ProcessID : 384
ThreadCreationTime : 6-5-2005 2:54:55 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : UpdateChecker Module
FileDescription : UpdateChecker Module
InternalName : UpdateChecker
LegalCopyright : Copyright 2002
OriginalFilename : UpdateChecker.EXE

#:22 [ad-aware.exe]
ModuleName : F:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
Command Line : "F:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" +483832
ProcessID : 3112
ThreadCreationTime : 6-6-2005 1:49:39 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:23 [iexplore.exe]
ModuleName : F:\Program Files\Internet Explorer\iexplore.exe
Command Line : "F:\Program Files\Internet Explorer\iexplore.exe"
ProcessID : 3540
ThreadCreationTime : 6-6-2005 1:50:43 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : F:\Documents and Settings\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-19\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1220945662-813497703-842925246-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Scanning Hosts file......
Hosts file location:"F:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 28




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28

10:17:40 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:23:40.412
Objects scanned:187659
Objects identified:0
Objects ignored:0
New critical objects:0
  • 0

#11
shepDoggieDog
Posted 05 June 2005 - 09:31 PM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the HJT! log, taken after the Ad-aware 1.0.6 scan. Please also note that I will be away on business starting Tuesday and returning Saturday. If we don't resolve this before then, there will be a few days delay.

Cheers & Many Thanks,
Shep



Logfile of HijackThis v1.99.1
Scan saved at 11:29:36 PM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
F:\Program Files\HiJackThis!\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\Kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] F:\Program Files\Messenger\msmsgs.exe /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {7C3F7875-20CB-5265-1C9D-32EE72E6FC94} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C8233FE-4BF3-4947-BD5A-B9884A53ECAC}: NameServer = 206.47.244.8,198.235.216.115
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#12
dispn0ygonekrazy
Posted 06 June 2005 - 07:44 AM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
Congratulations ShepDoggieDog your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
shepDoggieDog
Posted 06 June 2005 - 08:18 PM

shepDoggieDog

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Woohoo!

ThankyouThankyouThankyouThankyouThankyouThankyouThankyouThankyouThankyouThankyou.

Q. The Panda ActiveScan log listed a whole bunch of items that haven't been explicitly addressed. Can I ignore them then? Is ActiveScan too "aggressive".

Thanks also for all the recommendations for antiSpy/virus/firewall. I was actually running PCcillin but this was obviously not adequate.

Cheers,
Shep
  • 0

#14
dispn0ygonekrazy
Posted 06 June 2005 - 08:54 PM

dispn0ygonekrazy

    Member

  • Member
  • PipPipPip
  • 138 posts
we are glad to be of help thanks for your patience
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP