Jump to content


Photo

svchost.exe - virus?


  • This topic is locked This topic is locked
15 replies to this topic

#1 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 08 June 2007 - 09:48 PM

Hello,

My computer has been running multiple instances of "svchost.exe" at the same time. It is making my computer extremely slow, taking up 99% of the CPU usage. I don't know where this program came from - my computer was working fine earlier today, and then suddenly I got infected with this strange .exe. Occasionally, the svchost.exe file will cause my computer to do a system shutdown, which has already happened twice.

Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:52 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames....gsGameStart.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Help would be greatly appreciated - my computer seems to be running fine, and the only problem is the slowness. I'm just afraid that this program may cause other problems to arise.

Thanks,
whodamanwerd

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 11 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 14 June 2007 - 05:07 AM

Hi whodamanwerd, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

Actually, it's normal to find multiple instances of svchost.exe. I have 6 instances running right now.

From http://www.computerh...fo/svchost.htm:
“Svchost.exe” is the file name for the generic Windows process called Service Host which resides in \Windows\System32\. Since it acts as a host, it can collect multiple services together and run them in a common environment. This results in a more efficient arrangement since it reduces boot time and system overhead by eliminating the need to run dozens of separate services, each in their own memory spaces. Different groups of Windows services have different requirements in terms of system access and security, which is why separate instances of svchost.exe are needed.

However, one or more of the items you need to remove is a backdoor application can allow attackers to access your computer, stealing passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.
Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Run Panda's online virus scan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Please post a new HijackThis log, the log from SDFix, the log from Panda's ActiveScan, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 June 2007 - 10:23 AM

Hello,

Just a little update:
Over the past few days, the problem seems to be going on and off (some days it would be 100% usage, some days it would run normal). As of right now, my computer is working fine.

Here are the updated logs.


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:12 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames....gsGameStart.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


SDFix:

SDFix: Version 1.87

Run by Joe Smith on Sat 06/16/2007 at 08:59 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows Overlay Components

ImagePath:
C:\WINDOWS\bldhciq.exe

Windows Overlay Components - Deleted

Killing PID 124 'smss.exe'
Killing PID 196 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\MSORCL32.EXE - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\DOCUME~1\JOESMI~1\LOCALS~1\Temp\tmp*.tmp - Deleted


Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe"="C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe:*:Enabled:Client"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"="C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe:*:Enabled:SCRABBLE r"
"C:\\Dynamix\\TribesDemo\\Tribes.exe"="C:\\Dynamix\\TribesDemo\\Tribes.exe:*:Enabled:Tribes"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"="C:\\WINDOWS\\SYSTEM32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\DungeonStomp\\bin\\ds.exe"="C:\\Program Files\\DungeonStomp\\bin\\ds.exe:*:Enabled:ds"
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\TetriNET\\TETRINET.EXE"="C:\\TetriNET\\TETRINET.EXE:*:Enabled:TETRINET"
"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"="C:\\WINDOWS\\SYSTEM32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe:*:Enabled:vbaserver"
"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"="C:\\Program Files\\Armagetron Advanced\\armagetronad.exe:*:Enabled:armagetronad"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe:*:Enabled:Warsow"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Joe Smith\Application Data\Microsoft\Word\~WRL1058.tmp
C:\Documents and Settings\Joe Smith\My Documents\~WRL0750.tmp
C:\Documents and Settings\Joe Smith\My Documents\~WRL3003.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0001.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0003.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0527.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0787.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0791.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0803.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0945.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1100.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1597.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1852.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2749.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2813.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2860.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3359.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3487.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3519.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3901.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL0946.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1110.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1420.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1934.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL2367.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3278.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3979.tmp

Listing User Accounts:

User accounts for \\JOE

Administrator Guest HelpAssistant
Joe Smith SUPPORT_388945a0 SUPPORT_3f151ab9


Finished


Panda's ActiveScan:


Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.rightmedia.net/]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\tvmknwrd.dll
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joe Smith\Cookies\joe smith@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joe Smith\Cookies\joe smith@atwola[1].txt
Hacktool:HackTool/KillProcWin.A Not disinfected C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Wildtangent\Cdacache\00\00\37.dat[simple_killw.exe]
Virus:Trj/Zapchast.S Disinfected C:\Program Files\Warcraft III\Blizzard.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:adware/ncase Not disinfected C:\temp\salmau.dat
Virus:Trj/VB.WA Disinfected C:\WINDOWS\30x.exe
Adware:Adware/NetPals Not disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_48.exe
Virus:Trj/Spammer.ZX Disinfected C:\WINDOWS\SYSTEM32\perfc000.dat
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TGVlIENoaWFuZw\n3p5KHhCuqIRtT.vbs
Virus:Bck/Dbot.A Disinfected C:\WINDOWS\zzzx.exe

#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 17 June 2007 - 08:42 PM

WildTangent is considered "foistware", installed with some on-line games, but it's not required for them to run, and you are never given the chance to refuse the install. Their privacy policy used to state that they collect and share individual's information, although this is no longer the case. I highly recommend you optionally uninstall it. If you decide to remove it, go to Start > Control Panel > Add or Remove Programs and remove the following program (if found):
WildTangent

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.

Then delete the following folders if found:
C:\Program Files\WildTangent
C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Wildtangent


Run AVG Anti-Spyware
  • On the main screen select the icon "Update".
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Do not automatically generate reports"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcan worm remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit Enter.

Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Run a complete system scan with AVG Anti-Spyware.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware
Reboot into normal Windows and post the contents of the AVG Anti-Spyware log that you saved in your next reply.

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with your Next reply.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat


You can optionally check the following entry. This is part of Microsoft Office located in your Startup folder, but it's not needed, and it's a resource hog:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.


Using Windows Explorer, delete the following files and folder if found:
C:\temp\salmau.dat
C:\Documents and Settings\Joe Smith\Application Data\tvmknwrd.dll
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\TGVlIENoaWFuZw <-- folder


Not being able to find a file in the Downloaded Program Files folder is a common issue.
You will need to unregister a file to see them.

Go to Start >Run, and in the Run box type the following text and hit Enter:
regsvr32 /u occache.dll

Then this file will become visible and can be deleted.

Now, using Windows Explorer see if you can locate the following file and delete it:

C:\WINDOWS\Downloaded Program Files\ATPartners.inf

Then register occache.dll again:
Go to Start >Run, and in the Run box type the following text and hit Enter:
regsvr32 occache.dll

Restart your system.


Please run Notepad and paste the following text in the Code box into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"=-
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.


Please go to VirusTotal and submit the following file (if found) for a scan and post the results in your next reply:
C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Please post a new HijackThis log, the log from AVG Anti-Spyware, the log from SDFix (Report.txt), the results from scanning the file at VirusTotal, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#6 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 19 June 2007 - 12:45 AM

Hello,

My computer seems to be working fine so far. However, I don't know if it's entirely clean yet.
Here are the updated logs.

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 1:43:26 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames....gsGameStart.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


AVG Anti-Spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:13:43 PM 6/18/2007

+ Scan result:



C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0149210.exe -> Backdoor.Small.os : Cleaned.
C:\WINDOWS\SYSTEM32\perfc000.dat -> Backdoor.Small.os : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP887\A0149434.exe -> Downloader.Delf.bld : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP902\A0152711.exe -> Downloader.Delf.bld : Cleaned.
C:\WINDOWS\Downloaded Program Files\ATPartners.inf -> Downloader.Rameh.c : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP902\A0152710.exe -> Downloader.VB.att : Cleaned.
C:\Program Files\Online Services\howyvyr.html -> Hijacker.Small.jf : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@ice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.102:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.169:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.12:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.93:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.94:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.95:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Joe Smith\Cookies\joe smith@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\SYSTEM32\wnscpsu.exe -> Trojan.Small : Cleaned.
C:\WINDOWS\TGVlIENoaWFuZw\n3p5KHhCuqIRtT.vbs -> Trojan.Small : Cleaned.


::Report end


SDFix

SDFix: Version 1.87

Run by Joe Smith on Tue 06/19/2007 at 12:33 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe"="C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe:*:Enabled:Client"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"="C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe:*:Enabled:SCRABBLE r"
"C:\\Dynamix\\TribesDemo\\Tribes.exe"="C:\\Dynamix\\TribesDemo\\Tribes.exe:*:Enabled:Tribes"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"="C:\\WINDOWS\\SYSTEM32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\DungeonStomp\\bin\\ds.exe"="C:\\Program Files\\DungeonStomp\\bin\\ds.exe:*:Enabled:ds"
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\TetriNET\\TETRINET.EXE"="C:\\TetriNET\\TETRINET.EXE:*:Enabled:TETRINET"
"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"="C:\\WINDOWS\\SYSTEM32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe:*:Enabled:vbaserver"
"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"="C:\\Program Files\\Armagetron Advanced\\armagetronad.exe:*:Enabled:armagetronad"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe:*:Enabled:Warsow"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Joe Smith\Application Data\Microsoft\Word\~WRL1058.tmp
C:\Documents and Settings\Joe Smith\My Documents\~WRL0750.tmp
C:\Documents and Settings\Joe Smith\My Documents\~WRL3003.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0001.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0003.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0527.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0787.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0791.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0803.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0945.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1100.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1597.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1852.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2749.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2813.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2860.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3359.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3487.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3519.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3901.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL0946.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1110.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1420.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1934.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL2367.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3278.tmp
C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3979.tmp

Listing User Accounts:

User accounts for \\JOE

Administrator Guest HelpAssistant
Joe Smith SUPPORT_388945a0 SUPPORT_3f151ab9


Finished


VirusTotal

STATUS: FINISHEDComplete scanning result of "NGM.exe", received in VirusTotal at 06.19.2007, 07:10:15 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 no virus found
AntiVir 7.4.0.32 06.18.2007 no virus found
Authentium 4.93.8 06.18.2007 no virus found
Avast 4.7.997.0 06.18.2007 no virus found
AVG 7.5.0.467 06.18.2007 no virus found
BitDefender 7.2 06.19.2007 no virus found
CAT-QuickHeal 9.00 06.18.2007 no virus found
ClamAV devel-20070416 06.19.2007 no virus found
DrWeb 4.33 06.18.2007 no virus found
eSafe 7.0.15.0 06.19.2007 no virus found
eTrust-Vet 30.7.3727 06.19.2007 no virus found
Ewido 4.0 06.18.2007 no virus found
FileAdvisor 1 06.19.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 no virus found
F-Prot 4.3.2.48 06.18.2007 no virus found
F-Secure 6.70.13030.0 06.19.2007 W32/Downloader
Ikarus T3.1.1.8 06.19.2007 no virus found
Kaspersky 4.0.2.24 06.19.2007 no virus found
McAfee 5055 06.18.2007 no virus found
Microsoft 1.2607 06.19.2007 no virus found
NOD32v2 2337 06.18.2007 no virus found
Norman 5.80.02 06.18.2007 W32/Downloader
Panda 9.0.0.4 06.19.2007 no virus found
Prevx1 V2 06.19.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.19.2007 no virus found
TheHacker 6.1.6.134 06.18.2007 no virus found
VBA32 3.12.0.2 06.19.2007 no virus found
VirusBuster 4.3.23:9 06.18.2007 no virus found
Webwasher-Gateway 6.0.1 06.18.2007 no virus found


Aditional Information
File size: 110592 bytes
MD5: a888fad85299543090dd82cefa235dd2
SHA1: babebf343d35a5c0046eb9f774572738b183dc43
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 110592 bytes.

[ Changes to filesystem ]
* Creates directory C:PROGRA~1Nexon.
* Creates directory C:PROGRA~1NexonNGM.
* Creates file C:PROGRA~1NexonNGMNGMDll.dll.

[ Network services ]
* Connects to "platform.nx.com" on port 80 (TCP).
* Opens URL: platform.nx.com//NGM/Bin/NGMDll.dll.

[ Security issues ]
* Starting downloaded file - potential security problem.

Edited by whodamanwerd, 19 June 2007 - 12:53 AM.


#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 19 June 2007 - 08:09 PM

You have a few items that don't seem to want to go easily. :hmmm:

Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\perfc000.dat
    C:\WINDOWS\TGVlIENoaWFuZw
    C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Open Notepad and paste the text into a new file.
  • Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. If not asked, restart anyway.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entry (if still there):

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entry you checked.

Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.techsuppo...Bs/ComboFix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don't click on the ComboFix window while its running; that could cause it to stall.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement.
  • After the update finishes and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Please restart your system, and post a new HijackThis log, the log from Kaspersky AntiVirus's on-line scan, the contents of OTMoveIt.txt, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2007 - 12:34 AM

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

#9 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 21 June 2007 - 05:11 AM

That message could be from "fixing" the 020 item in Normal mode, which was probably fixed. Just continue with the instructions and post the requested logs please.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#10 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2007 - 09:24 AM

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 10:20:05 AM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames....gsGameStart.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Kaspersky AntiVirus

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 21, 2007 10:10:48 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/06/2007
Kaspersky Anti-Virus database records: 350106
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 87784
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:02:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Joe Smith\Application Data\Aim\whodamanwerd\cert8.db Object is locked skipped
C:\Documents and Settings\Joe Smith\Application Data\Aim\whodamanwerd\key3.db Object is locked skipped
C:\Documents and Settings\Joe Smith\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joe Smith\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Joe Smith\Local Settings\History\History.IE5\MSHist012007062120070622\index.dat Object is locked skipped
C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joe Smith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Joe Smith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\perfc000.dat.vir Infected: Backdoor.Win32.Small.os skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP886\A0149284.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP887\A0149451.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP888\A0149526.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP889\A0149565.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP891\A0149660.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP896\A0149944.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP905\A0153822.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP907\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\perfc000.dat Infected: Backdoor.Win32.Small.os skipped

Scan process completed.

OTMoveIt

C:\WINDOWS\system32\perfc000.dat moved successfully.
File/Folder C:\WINDOWS\TGVlIENoaWFuZw not found.
C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe moved successfully.

Created on 06/21/2007 01:32:10

Edited by whodamanwerd, 21 June 2007 - 09:31 AM.


#11 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2007 - 09:27 AM

ComboFix

ComboFix 07-06-18.2 - C:\Documents and Settings\Joe Smith\Desktop\ComboFix.exe
"Joe Smith" - 2007-06-21 1:35:25 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JOESMI~1\Desktop.\internet explorer.lnk
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\wmvds32.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NM
-------\LEGACY_NPF
-------\cmdService
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


2007-06-21 01:34 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 18:53 <DIR> d-------- C:\bintheredunthat
2007-06-18 18:16 <DIR> d-------- C:\BFU
2007-06-18 18:12 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-06-17 18:11 75,750 --a------ C:\WINDOWS\War3Unin.dat
2007-06-17 18:11 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-06-17 18:11 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-06-16 10:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-06 13:20 <DIR> d-------- C:\Program Files\Last.fm
2007-06-03 02:22 <DIR> d-------- C:\Program Files\Blocktrix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 03:35:50 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\AdobeUM
2007-06-18 22:05:55 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-06-18 21:42:37 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\Azureus
2007-06-18 01:03:14 -------- d-----w C:\Program Files\Warcraft III
2007-06-17 22:06:52 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\Hamachi
2007-06-16 14:39:11 -------- d-----w C:\Program Files\QuickTime
2007-06-16 14:39:04 -------- d-----w C:\Program Files\NETGEAR WG311v2 Adapter
2007-06-16 14:28:51 -------- d-----w C:\Program Files\AIM
2007-06-16 14:28:01 -------- d-----w C:\Program Files\AC3Filter
2007-06-16 01:57:36 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-16 01:57:22 -------- d-----w C:\Program Files\FirstClass
2007-06-12 00:52:00 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-12 00:51:56 -------- d-----w C:\Program Files\DivX
2007-06-12 00:51:53 -------- d-----w C:\Program Files\Clavis
2007-05-31 01:56:50 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\MSN6
2007-05-30 08:50:00 -------- d-----w C:\Program Files\NJStar Chinese WP
2007-05-28 15:41:53 -------- d-----w C:\Program Files\Movie Maker
2007-05-27 18:03:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-22 13:45:57 -------- d-----w C:\Program Files\MAIET
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 21:32:45 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\DivX
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-15 22:09:18 10,646 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-03 21:53]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-15 17:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 11:01]
"EPSON Stylus COLOR 480SXU"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.exe" [2001-09-13 14:53]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 01:50:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 1:53:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-21 01:53

--- E O F ---

#12 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 21 June 2007 - 07:56 PM

I overlooked something very important.
You appear to not be running either an antivirus program or a software firewall (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). That is an open invitation to infection these days. All you need to do to become infected is connect to the Internet. You don't even need to open a browser or actively access the Internet to become infected.

The first thing you should do at this point is to install an antivirus, update it, perform a full system scan, and remove anything found. If cost is an issue, try Avira AntiVir PersonalEdition Classic available at http://www.free-av.com, AVG Anti-Virus Free at http://free.grisoft....2/lng/us/tpl/v5, or Free avast! 4 Home Edition at http://www.avast.com...ast_4_home.html.

You should also install a software firewall. Two free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-s...e.com/Kerio.cfm and Zone Alarm from zonelabs.com http://www.zonelabs....reeDownload.jsp. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe that you downloaded to install the newest version.
After that, please post a new HijackThis log.
How is the system running now?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#13 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2007 - 07:02 PM

Hello,

My computer seems to be running fine. The CPU usage problem has disappeared. The only difference I see now is that the computer takes a bit longer to load during start-up, but I'm just guessing that it's a result of installing a firewall / anti-virus.

Also, just wondering - which of the programs that I have installed for scanning can I now get rid of?

Thanks,
whodamanwerd

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 8:00:54 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames....gsGameStart.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Edited by whodamanwerd, 22 June 2007 - 07:05 PM.


#14 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 22 June 2007 - 11:02 PM

Your HijackThis log looks fine. :thumbsup:

which of the programs that I have installed for scanning can I now get rid of?

Open OTMoveIt and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup along with backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.
The program needs to download the list of tools, so if your firewall says that OTMoveIt is attempting to access the Internet, you need to allow it.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer when finished.

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools...m/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywar...showtopic=60955

Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#15 whodamanwerd

whodamanwerd

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 June 2007 - 08:25 PM

Hey TheJoker,

My computer is running great! Everything seems to be working like it was before. Thanks for helping me clean up my system - it's been a while since I've done so. And thanks for all the programs.

- whodamanwerd

#16 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 25 June 2007 - 08:34 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button