Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another victim of Winfixer 2005 ! [RESOLVED]


  • This topic is locked This topic is locked

#1
gregga1

gregga1

    Member

  • Member
  • PipPip
  • 15 posts
Hi..... !!

I've read and followed the instructions in the "You Must Read This Before Posting Hijack logs" section. Problem still persists.

My log files posted as instructed in the above section.

Any assistance will be very much appreciated.

Gregga


Logfile of HijackThis v1.99.1
Scan saved at 11:37:15 PM, on 14/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\My Documents\MARS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/Bookmark.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Global Startup: YacsMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F12B98EE-84FB-443A-8904-CC3738464B9A}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:38:17 PM, 14/08/2005
+ Report-Checksum: A41EBCC7

+ Scan result:

:mozilla.6:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.15:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.16:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.17:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.18:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.21:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.91:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.92:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.93:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.94:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.95:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.100:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.101:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.102:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.103:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.104:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.105:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.106:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.107:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.108:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.113:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.117:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.118:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.119:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.120:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.121:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.122:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.123:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.124:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.127:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.128:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.129:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.135:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.159:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.160:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.161:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.162:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.163:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.169:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.195:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.197:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.198:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.224:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.225:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.226:C:\Documents and Settings\mars\Application Data\Mozilla\Firefox\Profiles\71m4po67.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\mars\Cookies\mars@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mars\Cookies\mars@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\mars\Cookies\mars@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\mars\Cookies\mars@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\My Documents\MARS\Website\a-files\asc-progs\plug&earn\KEYKEY.exe/\Vprotkkd._vx -> TrojanSpy.KeyKey2000.125.b : Cleaned with backup


::Report End
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi gregga1 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Excal..... thanks! It's ok on the delay. The problem still persists so here's a fresh log as requested...... and once again, THANKS!!!!


Logfile of HijackThis v1.99.1
Scan saved at 6:51:49 PM, on 18/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My Documents\MARS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/Bookmark.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Global Startup: YacsMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F12B98EE-84FB-443A-8904-CC3738464B9A}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Greg,


DOWNLOAD PROGRAMS


Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

We will use this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe"
O4 - Global Startup: YacsMon.exe
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/d...onale_ver15.CAB

You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find safer alternatives here: http://www.spywarein...cat=dlman#dlman
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm


8. click the Fix Checked box

9. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

DAP <===Optional see above

10. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\DAP<===Optional see above [/B]

11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe


12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Excal..... that seemed to have gotten rid of the Winfix problem. Thanks so much! Here's the two logs as requested.....



Incident Status Location

Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\MARS\FAVORITES\Health
Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER15.OCX
Adware:adware/powerstrip No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\mars\Desktop\Utilitites\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\mars\Desktop\Utilitites\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\mars\Desktop\Utilitites\nailfix\Process.exe
Dialer:Dialer.BKJ No disinfected C:\My Documents\MARS\backups\backup-20050819-171452-997.inf
Hacktool:Hacktool/Processor No disinfected C:\My Documents\MARS\l2mfix.exe[Process.exe]
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Possible Virus. No disinfected C:\WINDOWS\TEMP\ASHeuristic\ProcessViewer.exe.vir

Logfile of HijackThis v1.99.1
Scan saved at 6:57:34 PM, on 19/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My Documents\MARS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/Bookmark.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F12B98EE-84FB-443A-8904-CC3738464B9A}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER15.OCX ]



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please remove the following folders using Windows Explorer (if present):

C:\DOCUMENTS AND SETTINGS\MARS\FAVORITES\Health


please reboot

Please download the file I supplies in this post. Unzip it to its own folder on your desktop.

Open the RegSearch folder and double click RegSearch.vbs. Allow it to run.
Note: if your Antivirus or another program prompts about running a script file, allow the script to run.

copy and paste this in: dialer.asl then hit "ok"

RegSearch will "disappear" but it is actually searching the registry for that entry.

Copy and paste what it finds into a Notepad file.

Do the same for powerstrip

THanks,

:tazz:

Excal
  • 0

#7
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Excal..... Did all as instructed, RegSearch came up with 'not found' for both dialer.asl and powerstrip.

Thanks for your help.
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I think it would serve you well to clean your registry!
  • Please dowload: RegSeeker.
  • Click on "Clean The Registry" in the left panel.
  • Check all boxes (make sure the backup box in the lower left corner is selected!).
  • After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
  • Click "Quit RegSeeker".
Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!


After you get the number of registstry entries as low as you can go, then please run active scan agian and post its log.

thanks,

:tazz:

Excal
  • 0

#9
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
o.k..... all done :tazz:

Thanks again



Incident Status Location

Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER15.OCX
Adware:adware/powerstrip No disinfected Windows Registry
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\mars\Desktop\Utilitites\l2mfix\Process.exe
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\mars\Desktop\Utilitites\l2mfix.exe[Process.exe]
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\mars\Desktop\Utilitites\nailfix\Process.exe
Dialer:Dialer.BKJ No disinfected C:\My Documents\MARS\backups\backup-20050819-171452-997.inf
Security Risk:Application/ProcessorNo disinfected C:\My Documents\MARS\l2mfix.exe[Process.exe]
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Possible Virus. No disinfected C:\WINDOWS\TEMP\ASHeuristic\ProcessViewer.exe.vir
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Do you have other accounts on this computer?

:tazz:

Excal
  • 0

Advertisements


#11
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
no....... :tazz:
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • When you open the program, it will prompt you to update to the latest definitions.
  • Please do so, then click "Sweep Now".
  • Click the "Start" button.
  • When it's done scanning, click the "Next" button.
  • Make sure everything has a check next to it, then click the "Next" button.
  • It will remove all of the items found.
  • Click "Session Log" in the upper right corner, copy everything in that window.
  • Click the Summary tab and click "Finish".
  • Paste the contents of the session log you copied into your next reply.

  • 0

#13
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
o.k.... done :tazz:

********
10:19 PM: |··· Start of Session, Tuesday, 23 August 2005 ···|
10:19 PM: Spy Sweeper started
10:19 PM: Sweep initiated using definitions version 519
10:19 PM: Starting Memory Sweep
10:22 PM: Memory Sweep Complete, Elapsed Time: 00:02:56
10:22 PM: Starting Registry Sweep
10:22 PM: Registry Sweep Complete, Elapsed Time:00:00:10
10:22 PM: Starting Cookie Sweep
10:22 PM: Found Spy Cookie: com.com cookie
10:22 PM: mars@ebay.com[2].txt (ID = 2446)
10:22 PM: Found Spy Cookie: excite cookie
10:22 PM: mars@excite[2].txt (ID = 2631)
10:22 PM: mars@www.emailcash.com[1].txt (ID = 2446)
10:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:22 PM: Starting File Sweep
10:25 PM: Found Adware: 7adpower
10:25 PM: backup-20050819-171452-997.inf (ID = 114205)
10:27 PM: File Sweep Complete, Elapsed Time: 00:04:18
10:27 PM: Full Sweep has completed. Elapsed time 00:07:32
10:27 PM: Traces Found: 4
10:27 PM: Removal process initiated
10:27 PM: Quarantining All Traces: com.com cookie
10:27 PM: Quarantining All Traces: excite cookie
10:27 PM: Quarantining All Traces: 7adpower
10:27 PM: Removal process completed. Elapsed time 00:00:01
********
10:18 PM: |··· Start of Session, Tuesday, 23 August 2005 ···|
10:18 PM: Spy Sweeper started
10:18 PM: Messenger service has been disabled.
10:19 PM: |··· End of Session, Tuesday, 23 August 2005 ···|
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Can you check to see if this file is in your computer:

C:/WINDOWS/DOWNLOADED PROGRAM FILES/INTERNAZIONALE_VER15.OCX


Thanks,

:tazz:

Excal
  • 0

#15
gregga1

gregga1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
no........ file not on computer.. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP