Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-spy.html.smitfraud.c [RESOLVED]

Started by psycho b , Jun 17 2005 01:07 AM

  • This topic is locked This topic is locked

#16
TomNJ
Posted 23 June 2005 - 09:07 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
O2 - BHO: Class - {C72A4586-4D25-38C9-9B49-C0A7147CE676} - C:\WINDOWS\javazm32.dll
O4 - HKLM\..\Run: [PSGuard] C:\Archivos de programa\PSGuard\PSGuard.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appmr.exe

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\lbgum.dll
C:\Archivos de programa\PSGuard\PSGuard.exe
C:\WINDOWS\system32\appmr.exe

Exit Explorer, and follow the next step.

I will also need you go here http://osc.geekstogo...rviceremove.reg. When you are asked if you want to merg reg file say yes.

Post back a fresh HijackThis log and we will take another look.
  • 0

Advertisements

#17
psycho b
Posted 23 June 2005 - 12:54 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi tom, just a question, after deleting the files in explorer to do this:

I will also need you go here http://osc.geekstogo...rviceremove.reg. When you are asked if you want to merg reg file say yes.

should i reboot into normal mode 2 do that, or should i download it first and then after deleting the files merg the reg file in safe mode?

Edited by psycho b, 23 June 2005 - 01:02 PM.

  • 0

#18
TomNJ
Posted 23 June 2005 - 01:04 PM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
You can reboot and then run that.
  • 0

#19
psycho b
Posted 23 June 2005 - 01:18 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hey tom, another question, im doing the hijackthis fix checked thing (im on another comp) but the scan doesnt show this file:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appmr.ex

it shows a very similar one but changes in the end:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe

should i check that one instead or do the fix checked with only the other three????
  • 0

#20
TomNJ
Posted 23 June 2005 - 01:21 PM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Do the fixed check on the other 3
  • 0

#21
psycho b
Posted 23 June 2005 - 01:45 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok, so i just did the deleting on safe mode, and when i go here:

http://osc.geekstogo...rviceremove.reg.

it just opens a page with a bunch of letters (heh) i need 2 download it right? not just open it.....
  • 0

#22
psycho b
Posted 23 June 2005 - 01:53 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hello again :tazz:

so i followed ur directions, i scanned with hijackthis, checked the first three entries u told me to, fixed, then i went into safe mode and deleted but i could only find:

C:\WINDOWS\system32\lbgum.dll

these other two i couldnt find:

C:\Archivos de programa\PSGuard\PSGuard.exe
C:\WINDOWS\system32\appmr.exe

then i rebooted into normal and merged the file with the registry, heres the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 02:48:30 p.m., on 23/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\appay.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5A16C904-0033-2429-0FD0-F51215430942} - C:\WINDOWS\system32\msgv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

thanks for your time tom ;)

natalia
  • 0

#23
TomNJ
Posted 23 June 2005 - 05:32 PM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: Class - {5A16C904-0033-2429-0FD0-F51215430942} - C:\WINDOWS\system32\msgv.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe


Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and if found delete them:

C:\WINDOWS\system32\msgv.dll
C:\WINDOWS\system32\appay.exe
Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
  • 0

#24
psycho b
Posted 23 June 2005 - 09:48 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hey tom,

followed ur directions and everything went fine, except i couldnt find this 2 delete through explorer:

C:\WINDOWS\system32\msgv.dll

i found two very similar ones tho:

C:\WINDOWS\system32\msgv.exe
C:\WINDOWS\system32\msgsvc.dll

but i didnt go near them coz i don wanna screw anything up hehe, just thought id let u know

heres the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:45 p.m., on 23/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {6A3C5AEB-2856-9DC8-A5D7-C63EDEC0AF15} - C:\WINDOWS\winow.dll
O2 - BHO: Class - {E5BCD11D-CF53-13E8-21A0-55210FBE13D2} - C:\WINDOWS\cruq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

:tazz:
  • 0

#25
TomNJ
Posted 24 June 2005 - 08:10 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
I will need you to boot into safe mode for the fix

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

[*]Please set your system to show
all files; please see here if you're unsure how to do this.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6A3C5AEB-2856-9DC8-A5D7-C63EDEC0AF15} - C:\WINDOWS\winow.dll
O2 - BHO: Class - {E5BCD11D-CF53-13E8-21A0-55210FBE13D2} - C:\WINDOWS\cruq.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\winow.dll
C:\WINDOWS\cruq.dll
Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look. Also Let me know how your system is running.
  • 0

Advertisements

#26
psycho b
Posted 24 June 2005 - 02:40 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hello tom,

did what u asked me to, but i couldnt find these files on windows explorer:

C:\WINDOWS\winow.dll
C:\WINDOWS\cruq.dll

my system is running soooooooooooooo much better than it was 2 days ago, its still a bit slow but nothing too annoying, at least counter spy has stopped saying urls in internet explorer were being changed, which is GREAT coz that message was annoying haha kept coming up like every two minutes. Also my anti virus has stopped finding trojans every time i opened internet explorer, windows explorer and Hijackthis in normal mode (it kept finding trojans with different names, i kept trying to delete them, but it couldnt, and whenever it could delete them, it kept finding new ones... it was so annoying, but that has stopped now so YAY) so yeah, HUGE improvement, but anyways heres the new log, unfortunatly this one has come up again:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe (file missing)

but oh well, ure the one who understands this thing so haha here it is:

Logfile of HijackThis v1.99.1
Scan saved at 03:31:05 p.m., on 24/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

thanks a lot tom :tazz:
  • 0

#27
TomNJ
Posted 25 June 2005 - 11:54 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
OK Lets try this for that stuborn 023 line

Go to start, run type "services.msc" with out the quotes find the service.

Workstation NetLogon Service

Right click and stop it, make the start up type to disabled.

After doing the above please reboot normaly and post a new HJT log here.
  • 0

#28
psycho b
Posted 26 June 2005 - 09:45 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
done, heres the new log :tazz::

Logfile of HijackThis v1.99.1
Scan saved at 10:44:05 p.m., on 26/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
  • 0

#29
TomNJ
Posted 27 June 2005 - 08:28 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#30
psycho b
Posted 27 June 2005 - 10:47 PM

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
yayyyyy thankyou so much for all your help tom :tazz::D:D:D:D
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP