Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Alcan.A [RESOLVED]

Started by ladylinn , Mar 15 2006 08:49 PM

  • This topic is locked This topic is locked

#1
ladylinn
Posted 15 March 2006 - 08:49 PM

ladylinn

    Member

  • Member
  • PipPip
  • 17 posts
Done a scan and here is my log..
Can someone help?


Logfile of HijackThis v1.99.1
Scan saved at 03:41:58, on 16.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\outlook\outlook.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Online\Online.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\NoAdware4\NoAdware4.exe
C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\I5ULQJYB\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winupdate] C:\Programfiler\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [outlook] C:\Programfiler\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Programfiler\Fellesfiler\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142450502828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\dn4u01h9e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
MasterJ
Posted 15 March 2006 - 09:08 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Welcome to GeeksToGo ladylinn

My name is MasterJ and I will be helping you with your problem.

Please print these instructions for reference.

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.gee...structions.html

Reboot the computer.

Please post a new hijackthis log.

MasterJ :tazz:
  • 0

#3
ladylinn
Posted 15 March 2006 - 09:43 PM

ladylinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Alright.. Hope I'm doing this right.. hehe.. Here is the next one..

Logfile of HijackThis v1.99.1
Scan saved at 04:40:18, on 16.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Online\Online.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\DOCUME~1\Linn\LOKALE~1\Temp\Temporary Internet Files\Content.IE5\PKGTBRHK\HijackThis[1].exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Programfiler\Fellesfiler\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142450502828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\mvnul9591.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
MasterJ
Posted 15 March 2006 - 10:17 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Please zip the following and upload it to http://www.atribune....mit-malware.php

C:\Programfiler\Online

Please print these instructions for reference.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

MasterJ :tazz:
  • 0

#5
ladylinn
Posted 15 March 2006 - 10:52 PM

ladylinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
From the L2M:


Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 16.03.06 05:43:14

Infected! C:\WINDOWS\system32\mvnul9591.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000004.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000009.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000062.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000069.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000076.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000081.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000086.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000095.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000100.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000139.dll
Infected! C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000148.dll
Infected! C:\WINDOWS\system32\coosys.dll
Infected! C:\WINDOWS\system32\cyc.dll
Infected! C:\WINDOWS\system32\dmnput.dll
Infected! C:\WINDOWS\system32\i860lijm18oa.dll
Infected! C:\WINDOWS\system32\igengine.dll
Infected! C:\WINDOWS\system32\lbcalui.dll
Infected! C:\WINDOWS\system32\mard3x40.dll
Infected! C:\WINDOWS\system32\muvcrt40.dll
Infected! C:\WINDOWS\system32\mvnul9591.dll
Infected! C:\WINDOWS\system32\nlevtmsg.dll
Infected! C:\WINDOWS\system32\nttplwiz.dll
Infected! C:\WINDOWS\system32\oimanage.dll
Infected! C:\WINDOWS\system32\rXsctrs.dll
Infected! C:\WINDOWS\system32\scgina.dll
Infected! C:\WINDOWS\system32\sgorage.dll
Infected! C:\WINDOWS\system32\smmapi.dll
Infected! C:\WINDOWS\system32\uypnpmgr.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mvnul9591.dll
C:\WINDOWS\system32\mvnul9591.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000004.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000004.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000009.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP1\A0000009.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000062.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000062.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000069.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000069.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000076.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000076.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000081.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000081.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000086.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000095.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000095.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000100.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP2\A0000100.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000139.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000139.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000148.dll
C:\System Volume Information\_restore{49A7FD48-5E63-4C37-B8D5-BE74625B2197}\RP4\A0000148.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\coosys.dll
C:\WINDOWS\system32\coosys.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cyc.dll
C:\WINDOWS\system32\cyc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dmnput.dll
C:\WINDOWS\system32\dmnput.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i860lijm18oa.dll
C:\WINDOWS\system32\i860lijm18oa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\igengine.dll
C:\WINDOWS\system32\igengine.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lbcalui.dll
C:\WINDOWS\system32\lbcalui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mard3x40.dll
C:\WINDOWS\system32\mard3x40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\muvcrt40.dll
C:\WINDOWS\system32\muvcrt40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvnul9591.dll
C:\WINDOWS\system32\mvnul9591.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nlevtmsg.dll
C:\WINDOWS\system32\nlevtmsg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nttplwiz.dll
C:\WINDOWS\system32\nttplwiz.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\oimanage.dll
C:\WINDOWS\system32\oimanage.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rXsctrs.dll
C:\WINDOWS\system32\rXsctrs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\scgina.dll
C:\WINDOWS\system32\scgina.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sgorage.dll
C:\WINDOWS\system32\sgorage.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\smmapi.dll
C:\WINDOWS\system32\smmapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uypnpmgr.dll
C:\WINDOWS\system32\uypnpmgr.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{49A765C9-4C4A-4BF2-89A7-A69F4A2D12BB}"
HKCR\Clsid\{49A765C9-4C4A-4BF2-89A7-A69F4A2D12BB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A569784A-6CF6-47FD-8477-C2B5C31E4F0D}"
HKCR\Clsid\{A569784A-6CF6-47FD-8477-C2B5C31E4F0D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F24AFE8B-57E4-46EB-824E-3E0286CB933F}"
HKCR\Clsid\{F24AFE8B-57E4-46EB-824E-3E0286CB933F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EB8E76C9-52F8-4700-A472-1BE7373CCC49}"
HKCR\Clsid\{EB8E76C9-52F8-4700-A472-1BE7373CCC49}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53CFBC8C-CD4A-450C-953A-DAEDF439D1EE}"
HKCR\Clsid\{53CFBC8C-CD4A-450C-953A-DAEDF439D1EE}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorer - Succeeded






And from the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 05:50:40, on 16.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Online\Online.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Linn\Lokale innstillinger\Temporary Internet Files\Content.IE5\056JCTQN\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Programfiler\Fellesfiler\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142450502828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
MasterJ
Posted 15 March 2006 - 11:00 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Close Ewido.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Reboot into normal mode.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report, along with the Ewido report and a new HijackThis log.

MasterJ :tazz:
  • 0

#7
ladylinn
Posted 16 March 2006 - 12:37 AM

ladylinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 07:33:04, on 16.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Online\Online.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Linn\Lokale innstillinger\Temp\Temporary Internet Files\Content.IE5\PKGTBRHK\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programfiler\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Programfiler\Fellesfiler\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142450502828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0965E59F-51F9-4E89-B5CF-D23085D2C99B}: NameServer = 130.67.60.68 193.213.112.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

Attached Files


Edited by ladylinn, 16 March 2006 - 12:48 AM.

  • 0

#8
MasterJ
Posted 16 March 2006 - 11:54 AM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Could you submit this file to http://www.atribune....mit-malware.php

C:\WINDOWS\keyboard21.dat

Thank you.

Now click on the Start Menu and select Control Panel. A folder should appear. Now open, Add/Remove Programs.
Please remove these entries from Add/Remove Programs (if present):

MyWay

Please note any other programs that you dont recognize in that list in your next response

Please delete the following:

C:\WINDOWS\SYSTEM32\msiev32.dll
C:\WINDOWS\DH.dll
C:\PROGRAMFILER\MyWay
C:\Documents and Settings\Linn\Lokale innstillinger\Temp\Cookies\linn@clickbank[2].txt
C:\Documents and Settings\Linn\Lokale innstillinger\Temp\Cookies\linn@com[1].txt
C:\Documents and Settings\Linn\Lokale innstillinger\Temp\Cookies\linn@findwhat[1].txt
C:\WINDOWS\DH.dll
C:\WINDOWS\system32\MKRDO20.DLL
C:\WINDOWS\system32\msiev32.dll

Try to download Ewido one more time.

Then please run one more scan with panda and post the results.

MasterJ :tazz:
  • 0

#9
ladylinn
Posted 16 March 2006 - 12:55 PM

ladylinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello again :tazz:

Ewido just won't work for me.. sorry..
Enclosing log from Panda..

Linn

Attached Files


  • 0

#10
MasterJ
Posted 16 March 2006 - 02:08 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Did you get the file submitted? If so go ahead and delete it:

C:\WINDOWS\keyboard21.dat

Open Internet Explorer. Click Tools along the top and select Internet Options. Click Delete Cookies and select OK. Click Delete Files and select OK.

Congratulations ladylinn, your log looks clean! :)

Now that your computer is clean, we need to make sure it stays clean. To do this, I have a few recommendations to make.

Rehide hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Do Not Show hidden files and folders.
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Reset System Restore and Create a New Restore Point

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4. Create a New Restore Point
Click on start,
Click on All Programs>accesories>system tools>system restore
click on Create a restore point

AntiVirus
The first and most important step is to always have an up-to-date AntiVirus Program. If you want a good free antivirus, then I recommend AVG Antivirus. Never install two Antivirus programs. Multiple AntiVirus programs conflict with each other and actually make your computer easier to infect. Make sure your antivirus has Auto-Protect on and run system scans once a week. This will ensure the best protection for your computer.

Removing Spyware
Use Spybot S&D and Ad Adare SE. These are good free programs that will detect and remove most spyware from your computer.

Blocking Spyware
It is important to have a constant guard to protect your computer from spyware threats. Two programs I recommend are Microsoft's AntiSpyware (Beta) and Trojan Hunter/Guard.

Browser
If you are using Internet Explorer you might consider changing to another browser. The majority of viruses and spyware are written to infect through internet explorer. Browsers such as Firefox are good examples of safer browsers.

Firewall
Although not necessary for a home user, a free firewall will provide protection from hackers. I recommend using Zone Alarm.

Windows Update
Microsoft puts out updates often that remove security threats from your computer. Check Windows Update to make sure your computer is fully equipped with protection.

Still having trouble?
We are always here for your needs. If you still have malware problems, let us know. We're here to help you.

Regards,
MasterJ :tazz:
  • 0

#11
MasterJ
Posted 16 March 2006 - 02:24 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Please also delete this file:

C:\DR140306.exe
  • 0

#12
MasterJ
Posted 29 March 2006 - 11:04 PM

MasterJ

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,623 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP