Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ewido + Hijackthis scan results [RESOLVED]


  • This topic is locked This topic is locked

#1
cheesus

cheesus

    New Member

  • Member
  • Pip
  • 5 posts
I was directed here by somebody from another part of the forum. My origional post said:

"My system started off with 256mb of RAM and so i installed another 768mb in 3 x 256 sticks. Now this hasnt really helped things run better as a lot of things are still recognising only the first 256 stick only. The system information option shows:

Total Physical Memory 1,024.00 MB
Available Physical Memory 32.38 MB

So i know memory is being recognised but the availavle memory hasnt gone up once the extra RAM was installed. Somebody told me it could mean i need a new bios but ive looked and havnt found anything more recent that the one i already have."

I dont know what any of the below says but thats hopefully where you can help :tazz:
Thanks



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:06:15, 31/05/2005
+ Report-Checksum: 7E64214C

+ Date of database: 31/05/2005
+ Version of scan engine: v3.0

+ Duration: 48 min
+ Scanned Files: 85855
+ Speed: 29.41 Files/Second
+ Infected files: 46
+ Removed files: 46
+ Files put in quarantine: 46
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Mark Bullock\Cookies\mark bullock@www.new[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AdTools Service\AdToolsKeep.exe -> Spyware.WinAD.k -> Cleaned with backup
C:\Program Files\Common Files\lctrbafl\aafnctnn\dldnltrt.exe -> Spyware.Gator -> Cleaned with backup
C:\Program Files\Common Files\lctrbafl\lbanelbjcc\ljdllhpcj.exe -> Spyware.Gator -> Cleaned with backup
C:\Program Files\iMesh\Client\DatingCity\DCInstaller.exe -> Spyware.DatingCity -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP149\A0063095.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP150\A0064041.dll -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP168\A0071352.exe -> TrojanDownloader.Apropo.r -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP168\A0071354.dll -> Spyware.Apropos.f -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP168\A0071361.dll -> TrojanDownloader.Apropo.w -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP168\A0071474.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP169\A0071482.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP169\A0071483.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP169\A0071485.exe -> Spyware.Apropos.i -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP171\A0071568.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP171\A0071569.dll -> TrojanDownloader.Apropo.w -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP171\A0071570.exe -> TrojanDownloader.Apropo.r -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP171\A0071574.dll -> Spyware.Apropos.f -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP171\A0071581.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP172\A0071596.exe -> Spyware.Apropos.i -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP174\A0071664.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP174\A0071667.dll -> Spyware.Apropos.f -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\A0071732.dll -> TrojanDownloader.Apropo.w -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\A0071733.exe -> TrojanDownloader.Apropo.r -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\A0071735.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\snapshot\MFEX-27.DAT -> TrojanDownloader.Apropo.w -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\snapshot\MFEX-28.DAT -> TrojanDownloader.Apropo.r -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP175\snapshot\MFEX-34.DAT -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP200\A0079460.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP201\A0080488.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP206\A0085575.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP206\A0085579.exe -> Spyware.WinAD.am -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP206\A0085580.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP206\A0085589.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP217\A0086930.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP218\A0086933.DLL -> TrojanDownloader.FunWeb.a -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP218\A0086935.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP218\A0086936.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\System Volume Information\_restore{225B7122-4D67-4C8B-BBF5-F1F58DE01716}\RP218\snapshot\MFEX-10.DAT -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD.ah -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\system32\nvu2evxx.exe -> Spyware.Apropos.i -> Cleaned with backup
C:\WINDOWS\webhdll.dll_tobedeleted -> Spyware.WebHancer -> Cleaned with backup
C:\WINDOWS\__delete_on_reboot__lbbho.dll -> Spyware.Neon.a -> Cleaned with backup


::Report End





Logfile of HijackThis v1.99.1
Scan saved at 23:22:42, on 31/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Bullock\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savastore.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watford Electronics
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_72.dll
O2 - BHO: - {B5594824-6974-454B-823E-5777D378E0CA} - C:\WINDOWS\lbbho.dll (file missing)
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SavaStore - {8AE10CB9-3372-40E6-85AF-659BECD99AE7} - "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.savastore.com (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.savastore.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50...a/cfsn31235.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3euro...Crypt/npkcx.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe

Thanks for any help

Edited by cheesus, 31 May 2005 - 04:33 PM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello cheesus :tazz:


First,we need to get rid of NewDotNet. Go to Control Panel:Add/Remove Programs and remove it. If it is not there, go here and follow Procedure 4: http://www.newdotnet.com/removal.html


Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_72.dll
O2 - BHO: - {B5594824-6974-454B-823E-5777D378E0CA} - C:\WINDOWS\lbbho.dll (file missing)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Using windows explorer( right click start, left click explore)
Search for and delete these files and folders (If found)
C:\Program Files\NewDotNet

Reboot your pc and post a new hijack log

Thanks
  • 0

#3
cheesus

cheesus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ahh im not sure if i should reply with my log here or start another thread as your rules say dont do either lol. well ill put it here and hope someboyd replies :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 12:09:36, on 05/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Mark Bullock\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savastore.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watford Electronics
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SavaStore - {8AE10CB9-3372-40E6-85AF-659BECD99AE7} - "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.savastore.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.savastore.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50...a/cfsn31235.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3euro...Crypt/npkcx.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe


thanks for your help ;)
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello cheesus :tazz:

Uninstall via Add/Remove programs: "Messenger Plus 3"
If you insist on using "Messenger Plus 3" reinstall without the "Sponsor Software"
Note: Sponsor Software = C2Media\LOP (parasite)
This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".


reboot and post another hijack log in this thread just as you did before ;)
  • 0

#5
cheesus

cheesus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok ive removed it and installed it without the sponsor. heres the new log

Logfile of HijackThis v1.99.1
Scan saved at 21:31:27, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mark Bullock\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savastore.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watford Electronics
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SavaStore - {8AE10CB9-3372-40E6-85AF-659BECD99AE7} - "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.savastore.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.savastore.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50...a/cfsn31235.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3euro...Crypt/npkcx.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe



thanks
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello cheesus ;)

Congratulations! Your system is CLEAN :tazz:



Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP