Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Block Checker infection [RESOLVED]


  • This topic is locked This topic is locked

#1
mia_wallace

mia_wallace

    Member

  • Member
  • PipPip
  • 12 posts
Hi,

I am infected with Block Checker. My computer turns down by itself I am scared it will destroy my files. Please help!

I have a Freedom protection with Windows XP.

Thanks in advance,

Mia Wallace :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 21:58:04, on 2005-09-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\LGORTD0L\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Download Blockrem from HERE
  • Unzip it to its own folder on your desktop.
  • Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu.
    From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter.
  • Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.
  • Once it is running please follow the onscreen instructions.
  • Then reboot your computer.
  • Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

    Save the scan log and post it along with a new HijackThis Log in your next reply.

  • 0

#3
mia_wallace

mia_wallace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

I couldn't run Blockrem. I turned into safe mode, but Blockrem said it could not access files like "system 32 something"... So I ran Panda Active scan and HikjackThis Log. Did I do something wrong?

This is the Panda log:
Incident Status Location

Adware:adware/block-checker No disinfected C:\Documents and Settings\Propritaire\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\Block Checker.lnk
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/transponder No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf



This is the new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 22:25:41, on 2005-10-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Scan again with HijackThis and check the following items:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files (if they are still there):
C:\WINDOWS\INF\banner.inf
C:\Documents and Settings\Propritaire\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\Block Checker.lnk

Reboot your computer back into normal mode.

Go to next site: Trend Micro Anti-Spyware-scan
Click the Scan and Clean your PC and save it to your desktop.

* Doubleclick tmas-web-scan.exe-icon on your desktop
* Click agree to accept the terms of the license.
* After loading the definitions, click Start Scan
* When the scan is done, click Scan Results
* Check every item that was found (normally they are checked by default, so make sure they are all checked) and click Clean Threats Now
* A confirmation prompt will appear. Click OK
* Click Exit.

Reboot your computer.
After reboot, you'll see that the tmas-web-scan.exe-icon on your desktop will be gone, but there will be an Antispywarelog instead. It's a textfile.
Copy and paste the entire content of it in your next reply.
  • 0

#5
mia_wallace

mia_wallace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

I followed the instructions, deleted banner.inf, but I couldn't find Block Checker.Ink.

Block Checker is still in my Quick Launch section and new stuff has appeared on my desktop, the icons are kind of faded, I have never seen that before:

C:\Documents and Settings\Propriétaire\Bureau\AlbumArtSmall.jpg

C:\Documents and Settings\Propriétaire\Bureau\AlbumArt_{9DD62230-DBD3-4CE9-B0A7-6BF6A2009732}_Small.jpg

C:\Documents and Settings\Propriétaire\Bureau\AlbumArt_{9DD62230-DBD3-4CE9-B0A7-6BF6A2009732}_Large.jpg


C:\Documents and Settings\Propriétaire\Bureau\desktop.ini

C:\Documents and Settings\Propriétaire\Bureau\Folder.jpg

This is the Antispyware log:

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'adopt.precisead.com' in 'Internet Explorer Cache'
Found 'www.burstbeacon.com' in 'Internet Explorer Cache'
Found 'about.com' in 'Internet Explorer Cache'
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'rightmedia.net' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'hitbox.com' in 'Internet Explorer Cache'
Found 'insightexpressai.com' in 'Internet Explorer Cache'
Found 'go.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'serving-sys.com' in 'Internet Explorer Cache'
Found 'exitexchange.com' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'as1.falkag.de' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'spylog.com' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'abetterinternet.com' in 'Internet Explorer Cache'
Found 'errorguard.com' in 'Internet Explorer Cache'
Found 'offeroptimizer.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'cliks.org' in 'Internet Explorer Cache'
Found 'pro-market.net' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Found 'perf.overture.com' in 'Internet Explorer Cache'
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Found 'statcounter.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'www.short-media.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'counter.hitslink.com' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'revenue.net' in 'Internet Explorer Cache'
Found 'targetnet.com' in 'Internet Explorer Cache'
Found 'linksynergy.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'keywordmax.com' in 'Internet Explorer Cache'
Found 'www.web-stat.com' in 'Internet Explorer Cache'
Found 'unicast.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface\CurVer'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface\CLSID'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface.1\CLSID'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface.1'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
  • 0

#6
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
  • Please re-hide all files and folders. To re-hide all files and folders:[list]
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
The Desktop items will be gone now.

----------------------------------------------
Can you please try this tool to delete Block-Checker:
http://www.jayloden....ock-checker.htm

After the fix please post a fresh HijackThis log.
  • 0

#7
mia_wallace

mia_wallace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I did the fix and it seemed to work. Now, can I delete block-checker-xp.exe on my desktop?

This is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 16:25:03, on 2005-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#8
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts

I did the fix and it seemed to work. Now, can I delete block-checker-xp.exe on my desktop?

Yes, you can!

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. You are running Windows XP so get updated to SP-2

    Please post back if you are still having any problems....

  • 0

#9
mia_wallace

mia_wallace

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you so much!!!
  • 0

#10
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
You're so welcome :tazz:
  • 0

#11
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP