Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I need help ... [RESOLVED]


  • This topic is locked This topic is locked

#16
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Ok thanks for that info :tazz:

Something else seems to have reared it's ugly head as well, lets see if we can kill two birds with one stone shall we.

Although i do see this in your log i want to make sure its the most up to date version.

Please download the Ewido Security Suite (trial version) from here :

http://www.ewido.net/en/download/ ...and install it. Update to the newest definitions. Do not run this yet

Please make sure to do this first.

See hidden folders and files

Then we have to go into safe mode, here's a link if your not sure how to do that.

Reboot your computer in safe mode

Now that we are in safe mode, please find this file and delete if found.

C:\Program Files\ATS2\ats.exe<---This file

Please now run the ewido application.

Reboot back to normal mode and send me a new log and the ewido report.
  • 0

Advertisements


#17
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm confused :tazz: ... You want me to delete Anti Trojan Shield?
  • 0

#18
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Thanks for questioning that :tazz: It threw me for a loop, i have talked to others and that apparantly is a legit file and service.

So with that being said please do not remove that file. Please do still go ahead with the ewido scan in safe and post your findings afterwards with a new hijack log ;)

And i do apologize for that recomendation.
  • 0

#19
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I scaned with ewido in safe mode and here's the report ...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:17:17, 9.8.2005
+ Report-Checksum: F7B34DDD

+ Scan result:

C:\Documents and Settings\Dragica\Cookies\dragica@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dragica\Cookies\dragica@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End


_________________

... then I scaned with Hijack This in normal mode ...

Logfile of HijackThis v1.99.1
Scan saved at 13:21:07, on 9.8.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

______________

... and again I couldn't help my self ... the ATShield log is still the same as it was

:tazz:
  • 0

#20
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Good job Dacy :tazz:

One more thing I want to try please.

Step 1:
Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is 9.55MB in size.
Before running the program we need to update the signature files first in Step 2.

Step 2:
Updating the eScan Antivirus Toolkit with the latest files:

1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)

2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files. By default, the update process creates a folder on the root of the C:\drive called Downloads. This is where the updated files are placed.

3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", click any key to close the screen. Now, copy and paste the new updated signature files from the C:\Downloads folder to the C:\Kaspersky folder where eScan originally extracted the antivirus program files.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3:
Please reboot into Safe Mode.

Reboot your computer in safe mode

Step 4:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.

2.) Double-click on the mwavscan.com file; this will open the eScan program.

3.) With the eScan interface on your Desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.

4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.

5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

6.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

And thanks to SirJon for this great writeup.

After thtat please post a fresh hijack log. ;)
  • 0

#21
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi John :(

This eScan is the first program that found something on my computer :( i did everything like you said and first here is the eScan result ...

:[msvLclnt.dll]VirusCount = 142847 Latest Date = 2005/08/09
:[msvLclnt.dll][00000001] File C:\Documents and Settings\Dragica\Application Data\FOR BYTE SIXTH\Typekindbin.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\Documents and Settings\Dragica\Application Data\FOR BYTE SIXTH\Typekindbin.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\Documents and Settings\Dragica\Local Settings\Temp\rnokempp.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\Documents and Settings\Dragica\Local Settings\Temp\rnokempp.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001162.exe infected by not-a-virus:AdWare.Lop.x
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001163.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001163.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001164.exe infected by Trojan-Downloader.Win32.Swizzor.bo
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001164.exe infected by Trojan-Downloader.Win32.Swizzor.bo
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001165.exe infected by Trojan-Downloader.Win32.Swizzor.di
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001165.exe infected by Trojan-Downloader.Win32.Swizzor.di
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001166.exe infected by Trojan-Downloader.Win32.Swizzor.cb
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP17\A0001166.exe infected by Trojan-Downloader.Win32.Swizzor.cb
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP26\A0001570.exe infected by not-a-virus:Server-FTP.Win32.Serv-U.gen
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP26\A0001571.exe infected by not-a-virus:Server-FTP.Win32.Serv-U.5201
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP26\A0001575.exe infected by not-a-virus:Server-FTP.Win32.Serv-U.5201
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0002976.exe infected by Trojan-Downloader.Win32.Swizzor.dj
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0002976.exe infected by Trojan-Downloader.Win32.Swizzor.dj
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003047.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003047.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003048.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003048.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003049.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003049.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003050.exe infected by Trojan-Downloader.Win32.Swizzor.dj
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003050.exe infected by Trojan-Downloader.Win32.Swizzor.dj
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003051.exe infected by Trojan-Downloader.Win32.Swizzor.cb
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003051.exe infected by Trojan-Downloader.Win32.Swizzor.cb
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003062.exe infected by Trojan-Downloader.Win32.Swizzor.bo
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP29\A0003062.exe infected by Trojan-Downloader.Win32.Swizzor.bo
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003093.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003093.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003145.exe infected by Trojan-Downloader.Win32.Swizzor.do
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003145.exe infected by Trojan-Downloader.Win32.Swizzor.do
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003221.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003221.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003222.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003222.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003223.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003223.exe infected by Trojan-Downloader.Win32.Swizzor.de
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003399.exe infected by Trojan-Downloader.Win32.Swizzor.dg
:[msvLclnt.dll][00000001] File C:\System Volume Information\_restore{D64504DB-062A-423D-8743-8D6CCBA2F364}\RP30\A0003399.exe infected by Trojan-Downloader.Win32.Swizzor.dg
Tue Aug 09 18:07:10 2005 => Total Number of Files Scanned: 31835
Tue Aug 09 18:07:10 2005 => Total Number of Virus(es) Found: 23
Tue Aug 09 18:07:10 2005 => Total Number of Disinfected Files: 0
Tue Aug 09 18:07:10 2005 => Total Number of Files Renamed: 0
Tue Aug 09 18:07:10 2005 => Total Number of Deleted Files: 19
Tue Aug 09 18:07:10 2005 => Total Number of Errors: 0
Tue Aug 09 18:07:10 2005 => Time Elapsed: 00:38:07
Tue Aug 09 18:07:10 2005 => Virus Database Date: 2005/08/09
Tue Aug 09 18:07:10 2005 => Virus Database Count: 142847

Tue Aug 09 18:07:11 2005 => Scan Completed.

________________

... and here is the new Hijack This log ...

Logfile of HijackThis v1.99.1
Scan saved at 19:30:46, on 9.8.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{95DB8BEA-5DA9-45DD-8A11-480C816E255B}: NameServer = 213.161.0.10,213.161.0.20
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

_________

... But the ATShield log is still the same :tazz:

I hope it's ok to post you all logs ;) ... and tnx for helping me :)
  • 0

#22
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Dacy :tazz:

Can you locate c:\WINDOWS\system32\pxcpya64.exe in your computer? Let me know if you can.

That may be the final file we have to get rid of.
  • 0

#23
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hei hei ;)

Yes I can locate it :) It's 2 of them ... one is pxcpya64.exe and the other is pxcpyi64.exe :tazz:
  • 0

#24
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Ok dacy good find :tazz:

Please delete these 2 files.

C:\WINDOWS\system32\pxcpya64.exe
C:\WINDOWS\system32\pxcpyi64.exe

Reboot your machine and let me know if that scan picks them up again. ;)
  • 0

#25
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok John ;)

I hope my windows won't crash :tazz:
  • 0

Advertisements


#26
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi John :huh:

I'm back :wub:

That .exe file was from Sonic Solutions company ... I deleted everything with that company name :tazz: and for now everything works fine. But I was talking to a friend and he said that he has this files too ... :)
I just hope it wasn't something important :hug: ...

All scans are clean now... :( :tazz: ... just the trend micro still warnes me about the vulnerability ;)

THANK YOU :woot: :(

Edited by dacy, 11 August 2005 - 06:27 AM.

  • 0

#27
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Dacy :tazz:

Everything i checked out said that was a pair of bad files, I would'nt be to worried about it. In the case something had gone wrong we were making backups within hijack this and everything was completely reversible.

As far as your friend having those same files, tell your freind that they should have there log analized as well. ;)

Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free :)

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:

Spyware Blaster Spyware Guard

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE--Adaware Tutorial

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Sygate Kerio

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

To add to the performance of your computer, i suggest a weekly maintenance program. Run this tool. Ccleaner

Lastly a second opinion on the Antivirus that you have chosen. I suggest running these online virus scans periodically, just to make sure that the av is doing a proper job, of keeping you safe :

Rav Online Scan Housecall Online Scan Panda Activescan

Housecall Java Online Scan<---For those who use Firefox

And finally a little Posted Image How did I get infected in the first place ? (by Mr. Tony Klein and dvk01)

Good luck and safe surfing :(
  • 0

#28
dacy

dacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Tnx for helping me again :tazz:

I hope I won't have probems like this anymore ;)

I almost forgot ... those files had something to do with WinAmp , becouse when I open it, it says :

Winamp 5.094: winamp.exe - Unable To Locate Component
This application has failed to start because PX.dll was not found.Reinstalling the application may fix this problem.

... if I push the OK button the amp is opening and playing for few minutes and then it's closing by it self.
  • 0

#29
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Yep that's all i can say is the same thing reinstall the app and see if it helps.

Your very welcome take care :tazz:
  • 0

#30
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP