HELP TO FINISH OFF! - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

HELP TO FINISH OFF!

#1 ryantyson

  • Group: Member
  • Posts: 13
  • Joined: 04-January 06

Posted 25 January 2006 - 04:48 AM

New Member


Group: Member
Posts: 2
Joined: 4-January 06
Member No.: 152,661
Operating System:
windows xp


Hello all,

I am only new with computers and i am having trouble with my screen saver. I Save a screen saver then everytime i open something up a warning comes up about how i am infected by spyware and should go to the website (topadware) to order and download regfreeze. I am not sure what is happening and any suggestions would be greatly appreciated.

Thank you for your time




Full Edit
Quick Edit tampabelle Jan 5 2006, 02:31 AM Post #2


Exterminator


Group: Malware Staff
Posts: 6,033
Joined: 27-February 05
Member No.: 17,901
Operating System:
Windows XP


We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

This post has been edited by tampabelle: Jan 5 2006, 02:32 AM


--------------------

If I helped you, please consider making a contribution to help me continue my fight against malware, click



Good Stuff to have - Ad Aware SE, SpyBot S&D, Spyware Blaster, Spyware Guard, Avast Home Edition, Kerio Personal Firewall

Want free online scans ?? Kaspersky, BitDefender, Trendmicro, Panda






Full Edit
Quick Edit
ryantyson Jan 6 2006, 10:46 AM Post #3


New Member


Group: Member
Posts: 2
Joined: 4-January 06
Member No.: 152,661
Operating System:
windows xp


Im not sure if this is what you want. i hope so If i need to do anything else please let me know thank you



Logfile of HijackThis v1.99.1
Scan saved at 11:42:24 AM, on 6/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
H:\AnyDVD\AnyDVD.exe
I:\AVG\avgemc.exe
I:\AVG\avgcc.exe
H:\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
I:\AVG\avgamsvr.exe
I:\AVG\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
I:\ewido anti-malware\ewidoctrl.exe
I:\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\cidaemon.exe
I:\Azureus\Azureus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
I:\pokerstars\PokerStars.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\ILP8ZDWR\HijackThis[1].exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CMyBHOImpl Object - {784aa380-13f2-422e-8540-f2280f1dd4f1} - C:\WINDOWS\System32\bhoimpl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-au\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AnyDVD] H:\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_EMC] I:\AVG\avgemc.exe
O4 - HKLM\..\Run: [xps32] C:\WINDOWS\System32\xps32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FA Page] C:\WINDOWS\system32\shdocie.exe home
O4 - HKLM\..\Run: [Evidence Eliminator] H:\\ee.exe /m
O4 - HKLM\..\Run: [AVG7_CC] I:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "I:\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [PieceCrap] mybreak.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Office10\OSA.EXE
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136468209156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D64BAC95-300D-44D1-BC2C-A2B042F5D8D8}: NameServer = 192.189.54.17,203.8.183.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\AVG\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - I:\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ILT - Unknown owner - C:\WINDOWS\ilt.exe (file missing)
O23 - Service: MsLS32 - Unknown owner - C:\WINDOWS\MsLS32.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - IntelŪ Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: rsvchost - Unknown owner - C:\WINDOWS\rsvchost.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe



Full Edit
Quick Edit tampabelle Jan 7 2006, 03:17 AM Post #4


Exterminator


Group: Malware Staff
Posts: 6,033
Joined: 27-February 05
Member No.: 17,901
Operating System:
Windows XP


You are running Hijack This from a temporary folder. Please download Hijack This again and save it in a permanent folder like C:\HJT and then proceed with the instructions below.


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, you will be asked to delete some entries or files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

Download and install CleanUp!


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: CMyBHOImpl Object - {784aa380-13f2-422e-8540-f2280f1dd4f1} - C:\WINDOWS\System32\bhoimpl.dll
O4 - HKLM\..\Run: [xps32] C:\WINDOWS\System32\xps32.exe
O4 - HKLM\..\Run: [FA Page] C:\WINDOWS\system32\shdocie.exe home
O4 - HKLM\..\RunServices: [PieceCrap] mybreak.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - ILT. Right click on it and then click on properties. In the Startup Type choose the option Disable.

Similarly disable the following items -

MsLS32
rsvchost

Close the window.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Files
C:\WINDOWS\System32\xps32.exe
C:\WINDOWS\system32\shdocie.exe home
C:\WINDOWS\ilt.exe
C:\WINDOWS\MsLS32.exe
C:\WINDOWS\rsvchost.exe

mybreak.exe
(Search for this file using the Windows Search function)


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Run Hijack This. Click on config ---> Misc Tools ---> Delete an NT Service. Type in each of the following items and hit enter.

ILT
MsLS32
rsvchost


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

This post has been edited by tampabelle: Jan 7 2006, 03:20 AM


THIS IS THE RESULTS

Logfile of HijackThis v1.99.1
Scan saved at 8:23:51 PM, on 25/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
H:\AnyDVD\AnyDVD.exe
I:\AVG\avgemc.exe
I:\AVG\avgcc.exe
H:\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
I:\AVG\avgamsvr.exe
I:\AVG\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
I:\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

Toolbar\01.01.2607.0\msgr.en-us.en-au\msntb.dll (file missing)
O4 - HKLM\..\Run: [AnyDVD] H:\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_EMC] I:\AVG\avgemc.exe
O4 - HKLM\..\Run: [Evidence Eliminator] H:\\ee.exe /m
O4 - HKLM\..\Run: [AVG7_CC] I:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "I:\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1136468209156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D64BAC95-300D-44D1-BC2C-A2B042F5D8D8}: NameServer =

192.189.54.17,203.8.183.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file

missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\AVG\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner -

C:\WINDOWS\System32\UAService7.exe

THE EWIDO HAD NO REPORT OR NOTHING IN IT

Share this topic:


Page 1 of 1