• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
whodamanwerd

svchost.exe - virus?

16 posts in this topic

Hello,

 

My computer has been running multiple instances of "svchost.exe" at the same time. It is making my computer extremely slow, taking up 99% of the CPU usage. I don't know where this program came from - my computer was working fine earlier today, and then suddenly I got infected with this strange .exe. Occasionally, the svchost.exe file will cause my computer to do a system shutdown, which has already happened twice.

 

Here is the hijackthis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:46:52 PM, on 6/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [install.exe] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

Help would be greatly appreciated - my computer seems to be running fine, and the only problem is the slowness. I'm just afraid that this program may cause other problems to arise.

 

Thanks,

whodamanwerd

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi whodamanwerd, and Welcome to SWI

 

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

 

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

 

Actually, it's normal to find multiple instances of svchost.exe. I have 6 instances running right now.

 

From http://www.computerhaven.info/svchost.htm:

“Svchost.exe” is the file name for the generic Windows process called Service Host which resides in \Windows\System32\. Since it acts as a host, it can collect multiple services together and run them in a common environment. This results in a more efficient arrangement since it reduces boot time and system overhead by eliminating the need to run dozens of separate services, each in their own memory spaces. Different groups of Windows services have different requirements in terms of system access and security, which is why separate instances of svchost.exe are needed.

 

However, one or more of the items you need to remove is a backdoor application can allow attackers to access your computer, stealing passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.

Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Run Panda's online virus scan and perform a full system scan.

Once you are on the Panda site click the Scan your PC button

  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post a new HijackThis log, the log from SDFix, the log from Panda's ActiveScan, and note any errors encountered.

Share this post


Link to post
Share on other sites

Hello,

 

Just a little update:

Over the past few days, the problem seems to be going on and off (some days it would be 100% usage, some days it would run normal). As of right now, my computer is working fine.

 

Here are the updated logs.

 

 

HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:13:12 AM, on 6/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [install.exe] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

 

SDFix:

 

SDFix: Version 1.87

 

Run by Joe Smith on Sat 06/16/2007 at 08:59 AM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

Windows Overlay Components

 

ImagePath:

C:\WINDOWS\bldhciq.exe

 

Windows Overlay Components - Deleted

 

Killing PID 124 'smss.exe'

Killing PID 196 'winlogon.exe'

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\WINDOWS\SYSTEM32\MSORCL32.EXE - Deleted

C:\WINDOWS\system32\ntos.exe - Deleted

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted

C:\WINDOWS\Uninst2.htm - Deleted

C:\WINDOWS\Unist1.htm - Deleted

C:\DOCUME~1\JOESMI~1\LOCALS~1\Temp\tmp*.tmp - Deleted

 

 

Folder C:\WINDOWS\system32\wsnpoem - Removed

 

Removing Temp Files...

 

ADS Check:

 

Checking C:\WINDOWS\

C:\WINDOWS

No streams found.

 

Checking C:\WINDOWS\system32

C:\WINDOWS\system32

No streams found.

 

Checking C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking C:\WINDOWS\system32\ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary"

"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe"="C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe:*:Enabled:Client"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"="C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe:*:Enabled:SCRABBLE r"

"C:\\Dynamix\\TribesDemo\\Tribes.exe"="C:\\Dynamix\\TribesDemo\\Tribes.exe:*:Enabled:Tribes"

"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"

"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary"

"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe:*:Enabled:AOL Services"

"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe:*:Enabled:AIM"

"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"="C:\\WINDOWS\\SYSTEM32\\rundll32.exe:*:Enabled:Run a DLL as an App"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\DungeonStomp\\bin\\ds.exe"="C:\\Program Files\\DungeonStomp\\bin\\ds.exe:*:Enabled:ds"

"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

"C:\\TetriNET\\TETRINET.EXE"="C:\\TetriNET\\TETRINET.EXE:*:Enabled:TETRINET"

"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"="C:\\WINDOWS\\SYSTEM32\\rtcshare.exe:*:Enabled:RTC App Sharing"

"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"

"C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe:*:Enabled:vbaserver"

"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"="C:\\Program Files\\Armagetron Advanced\\armagetronad.exe:*:Enabled:armagetronad"

"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"

"C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe:*:Enabled:Warsow"

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"

"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"

"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"

"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Listing Files with Hidden Attributes:

 

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

C:\Documents and Settings\Joe Smith\Application Data\Microsoft\Word\~WRL1058.tmp

C:\Documents and Settings\Joe Smith\My Documents\~WRL0750.tmp

C:\Documents and Settings\Joe Smith\My Documents\~WRL3003.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0001.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0003.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0527.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0787.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0791.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0803.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0945.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1100.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1597.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1852.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2749.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2813.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2860.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3359.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3487.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3519.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3901.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL0946.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1110.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1420.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1934.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL2367.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3278.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3979.tmp

 

Listing User Accounts:

 

User accounts for \\JOE

 

Administrator Guest HelpAssistant

Joe Smith SUPPORT_388945a0 SUPPORT_3f151ab9

 

 

Finished

 

 

Panda's ActiveScan:

 

 

Incident Status Location

 

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.adopt.hbmediapro.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.atwola.com/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.bravenet.com/]

Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.maxserving.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt[.rightmedia.net/]

Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Joe Smith\Application Data\tvmknwrd.dll

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joe Smith\Cookies\joe smith@advertising[2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joe Smith\Cookies\joe smith@atwola[1].txt

Hacktool:HackTool/KillProcWin.A Not disinfected C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Wildtangent\Cdacache\00\00\37.dat[simple_killw.exe]

Virus:Trj/Zapchast.S Disinfected C:\Program Files\Warcraft III\Blizzard.dll

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

Adware:adware/ncase Not disinfected C:\temp\salmau.dat

Virus:Trj/VB.WA Disinfected C:\WINDOWS\30x.exe

Adware:Adware/NetPals Not disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf

Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat

Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_48.exe

Virus:Trj/Spammer.ZX Disinfected C:\WINDOWS\SYSTEM32\perfc000.dat

Adware:Adware/CommAd Not disinfected C:\WINDOWS\TGVlIENoaWFuZw\n3p5KHhCuqIRtT.vbs

Virus:Bck/Dbot.A Disinfected C:\WINDOWS\zzzx.exe

Share this post


Link to post
Share on other sites

WildTangent is considered "foistware", installed with some on-line games, but it's not required for them to run, and you are never given the chance to refuse the install. Their privacy policy used to state that they collect and share individual's information, although this is no longer the case. I highly recommend you optionally uninstall it. If you decide to remove it, go to Start > Control Panel > Add or Remove Programs and remove the following program (if found):

WildTangent

 

Reconfigure Windows XP to show hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

 

Then delete the following folders if found:

C:\Program Files\WildTangent

C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Wildtangent

 

 

Run AVG Anti-Spyware

  • On the main screen select the icon "Update".
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

    [*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

    [*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

    [*]Under "Reports"

    • Select "Do not automatically generate reports"
    • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

 

 

Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcan worm remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit Enter.

 

Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Run a complete system scan with AVG Anti-Spyware.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

  1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  4. If you have any infections you will prompted, then select "Apply all actions"
  5. Next select the "Reports" icon at the top.
  6. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  7. Close AVG Anti-Spyware

Reboot into normal Windows and post the contents of the AVG Anti-Spyware log that you saved in your next reply.

 

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.

If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

To return to normal mode just restart your computer as you normally would.

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with your Next reply.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

 

O4 - HKLM\..\Run: [install.exe] C:\WINDOWS\svchost.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

 

You can optionally check the following entry. This is part of Microsoft Office located in your Startup folder, but it's not needed, and it's a resource hog:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

 

 

Using Windows Explorer, delete the following files and folder if found:

C:\temp\salmau.dat

C:\Documents and Settings\Joe Smith\Application Data\tvmknwrd.dll

C:\WINDOWS\INF\conscorr.inf

C:\WINDOWS\keyboard1.dat

C:\WINDOWS\NDNuninstall7_48.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\perfc000.dat

C:\WINDOWS\TGVlIENoaWFuZw <-- folder

 

 

Not being able to find a file in the Downloaded Program Files folder is a common issue.

You will need to unregister a file to see them.

 

Go to Start >Run, and in the Run box type the following text and hit Enter:

regsvr32 /u occache.dll

 

Then this file will become visible and can be deleted.

 

Now, using Windows Explorer see if you can locate the following file and delete it:

 

C:\WINDOWS\Downloaded Program Files\ATPartners.inf

 

Then register occache.dll again:

Go to Start >Run, and in the Run box type the following text and hit Enter:

regsvr32 occache.dll

 

Restart your system.

 

 

Please run Notepad and paste the following text in the Code box into a new file:

 

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"=-

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

 

 

Please go to VirusTotal and submit the following file (if found) for a scan and post the results in your next reply:

C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe

 

Now you need to hide the files you un-hid earlier:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading unselect "Show hidden files and folders".

Check the "Hide protected operating system files (recommended)" option.

Click Yes to confirm. Click OK.

 

Please post a new HijackThis log, the log from AVG Anti-Spyware, the log from SDFix (Report.txt), the results from scanning the file at VirusTotal, and note any errors encountered.

Share this post


Link to post
Share on other sites

Hello,

 

My computer seems to be working fine so far. However, I don't know if it's entirely clean yet.

Here are the updated logs.

 

HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 1:43:26 AM, on 6/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AIM\aim.exe

C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

 

AVG Anti-Spyware

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 8:13:43 PM 6/18/2007

 

+ Scan result:

 

 

 

C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0149210.exe -> Backdoor.Small.os : Cleaned.

C:\WINDOWS\SYSTEM32\perfc000.dat -> Backdoor.Small.os : Cleaned.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP887\A0149434.exe -> Downloader.Delf.bld : Cleaned.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP902\A0152711.exe -> Downloader.Delf.bld : Cleaned.

C:\WINDOWS\Downloaded Program Files\ATPartners.inf -> Downloader.Rameh.c : Cleaned.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP902\A0152710.exe -> Downloader.VB.att : Cleaned.

C:\Program Files\Online Services\howyvyr.html -> Hijacker.Small.jf : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@ice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@com[1].txt -> TrackingCookie.Com : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.

:mozilla.102:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Msn : Cleaned.

:mozilla.169:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.

:mozilla.12:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Planetactive : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.93:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.94:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.95:C:\Documents and Settings\Joe Smith\Application Data\Mozilla\Firefox\Profiles\6n7klvcd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.

C:\Documents and Settings\Joe Smith\Cookies\joe smith@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

C:\WINDOWS\SYSTEM32\wnscpsu.exe -> Trojan.Small : Cleaned.

C:\WINDOWS\TGVlIENoaWFuZw\n3p5KHhCuqIRtT.vbs -> Trojan.Small : Cleaned.

 

 

::Report end

 

 

SDFix

 

SDFix: Version 1.87

 

Run by Joe Smith on Tue 06/19/2007 at 12:33 AM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking C:\WINDOWS\

C:\WINDOWS

No streams found.

 

Checking C:\WINDOWS\system32

C:\WINDOWS\system32

No streams found.

 

Checking C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking C:\WINDOWS\system32\ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary"

"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\panini773\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe"="C:\\Program Files\\Triggersoft\\Rose Online\\TRose.exe:*:Enabled:Client"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\enigmasoul5\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\caffeineforever242@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"="C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe:*:Enabled:SCRABBLE r"

"C:\\Dynamix\\TribesDemo\\Tribes.exe"="C:\\Dynamix\\TribesDemo\\Tribes.exe:*:Enabled:Tribes"

"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"

"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary"

"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aolsoftware.exe:*:Enabled:AOL Services"

"C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1138472538\\ee\\aim6.exe:*:Enabled:AIM"

"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"="C:\\WINDOWS\\SYSTEM32\\rundll32.exe:*:Enabled:Run a DLL as an App"

"C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\drstunner@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\DungeonStomp\\bin\\ds.exe"="C:\\Program Files\\DungeonStomp\\bin\\ds.exe:*:Enabled:ds"

"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

"C:\\TetriNET\\TETRINET.EXE"="C:\\TetriNET\\TETRINET.EXE:*:Enabled:TETRINET"

"C:\\WINDOWS\\SYSTEM32\\rtcshare.exe"="C:\\WINDOWS\\SYSTEM32\\rtcshare.exe:*:Enabled:RTC App Sharing"

"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"

"C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\download\\whodamanwerd\\VBA Link\\vbaserver.exe:*:Enabled:vbaserver"

"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"="C:\\Program Files\\Armagetron Advanced\\armagetronad.exe:*:Enabled:armagetronad"

"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"

"C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe"="C:\\Documents and Settings\\Joe Smith\\My Documents\\Warsow\\warsow.exe:*:Enabled:Warsow"

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"

"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Joe Smith\\Local Settings\\Temp\\~os138.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"

"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"

"C:\\WINDOWS\\svchost.exe"="C:\\WINDOWS\\svchost.exe:*:Disabled:svchost"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

 

Remaining Files:

---------------

 

 

Listing Files with Hidden Attributes:

 

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

C:\Documents and Settings\Joe Smith\Application Data\Microsoft\Word\~WRL1058.tmp

C:\Documents and Settings\Joe Smith\My Documents\~WRL0750.tmp

C:\Documents and Settings\Joe Smith\My Documents\~WRL3003.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0001.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0003.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0527.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0787.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0791.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0803.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL0945.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1100.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1597.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL1852.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2749.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2813.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL2860.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3359.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3487.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3519.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\College Stuff\~WRL3901.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL0946.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1110.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1420.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL1934.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL2367.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3278.tmp

C:\Documents and Settings\Joe Smith\My Documents\Word Documents\English\~WRL3979.tmp

 

Listing User Accounts:

 

User accounts for \\JOE

 

Administrator Guest HelpAssistant

Joe Smith SUPPORT_388945a0 SUPPORT_3f151ab9

 

 

Finished

 

 

VirusTotal

 

STATUS: FINISHEDComplete scanning result of "NGM.exe", received in VirusTotal at 06.19.2007, 07:10:15 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.16.0 06.19.2007 no virus found

AntiVir 7.4.0.32 06.18.2007 no virus found

Authentium 4.93.8 06.18.2007 no virus found

Avast 4.7.997.0 06.18.2007 no virus found

AVG 7.5.0.467 06.18.2007 no virus found

BitDefender 7.2 06.19.2007 no virus found

CAT-QuickHeal 9.00 06.18.2007 no virus found

ClamAV devel-20070416 06.19.2007 no virus found

DrWeb 4.33 06.18.2007 no virus found

eSafe 7.0.15.0 06.19.2007 no virus found

eTrust-Vet 30.7.3727 06.19.2007 no virus found

Ewido 4.0 06.18.2007 no virus found

FileAdvisor 1 06.19.2007 no virus found

Fortinet 2.91.0.0 06.19.2007 no virus found

F-Prot 4.3.2.48 06.18.2007 no virus found

F-Secure 6.70.13030.0 06.19.2007 W32/Downloader

Ikarus T3.1.1.8 06.19.2007 no virus found

Kaspersky 4.0.2.24 06.19.2007 no virus found

McAfee 5055 06.18.2007 no virus found

Microsoft 1.2607 06.19.2007 no virus found

NOD32v2 2337 06.18.2007 no virus found

Norman 5.80.02 06.18.2007 W32/Downloader

Panda 9.0.0.4 06.19.2007 no virus found

Prevx1 V2 06.19.2007 no virus found

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.16.2007 no virus found

Symantec 10 06.19.2007 no virus found

TheHacker 6.1.6.134 06.18.2007 no virus found

VBA32 3.12.0.2 06.19.2007 no virus found

VirusBuster 4.3.23:9 06.18.2007 no virus found

Webwasher-Gateway 6.0.1 06.18.2007 no virus found

 

 

Aditional Information

File size: 110592 bytes

MD5: a888fad85299543090dd82cefa235dd2

SHA1: babebf343d35a5c0046eb9f774572738b183dc43

norman sandbox: [ General information ]

* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.

* File length: 110592 bytes.

 

[ Changes to filesystem ]

* Creates directory C:PROGRA~1Nexon.

* Creates directory C:PROGRA~1NexonNGM.

* Creates file C:PROGRA~1NexonNGMNGMDll.dll.

 

[ Network services ]

* Connects to "platform.nx.com" on port 80 (TCP).

* Opens URL: platform.nx.com//NGM/Bin/NGMDll.dll.

 

[ Security issues ]

* Starting downloaded file - potential security problem.

Edited by whodamanwerd

Share this post


Link to post
Share on other sites

You have a few items that don't seem to want to go easily. :hmmm:

 

Please download OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
     
    C:\WINDOWS\system32\perfc000.dat
    C:\WINDOWS\TGVlIENoaWFuZw
    C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe
     
     
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Open Notepad and paste the text into a new file.
  • Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. If not asked, restart anyway.

 

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entry (if still there):

 

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entry you checked.

 

Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Save the file to your Desktop.

Double click combofix.exe & follow the prompts.

Don't click on the ComboFix window while its running; that could cause it to stall.

When finished, and after reboot, it should open a log, combofix.txt.

Post that log in your next reply.

 

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).

First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).

Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

  • In the new window that opens, click the "Accept" button to accept the user agreement.
  • After the update finishes and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

 

Please restart your system, and post a new HijackThis log, the log from Kaspersky AntiVirus's on-line scan, the contents of OTMoveIt.txt, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Share this post


Link to post
Share on other sites

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat)

Error #5 - Invalid procedure call or argument

 

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were trying to fix when the error occurred, if applicable

* How you can reproduce the error

* A complete HijackThis scan log, if possible

 

Windows version: Windows NT 5.01.2600

MSIE version: 6.0.2900.2180

HijackThis version: 1.99.1

 

This message has been copied to your clipboard.

Click OK to continue the rest of the scan.

Share this post


Link to post
Share on other sites

That message could be from "fixing" the 020 item in Normal mode, which was probably fixed. Just continue with the instructions and post the requested logs please.

Share this post


Link to post
Share on other sites

HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 10:20:05 AM, on 6/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

Kaspersky AntiVirus

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Thursday, June 21, 2007 10:10:48 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.0

Kaspersky Anti-Virus database last update: 21/06/2007

Kaspersky Anti-Virus database records: 350106

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

 

Scan Statistics:

Total number of scanned objects: 87784

Number of viruses found: 3

Number of infected objects: 9

Number of suspicious objects: 0

Duration of the scan process: 01:02:16

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Joe Smith\Application Data\Aim\whodamanwerd\cert8.db Object is locked skipped

C:\Documents and Settings\Joe Smith\Application Data\Aim\whodamanwerd\key3.db Object is locked skipped

C:\Documents and Settings\Joe Smith\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Joe Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Joe Smith\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Joe Smith\Local Settings\History\History.IE5\MSHist012007062120070622\index.dat Object is locked skipped

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Joe Smith\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Joe Smith\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\perfc000.dat.vir Infected: Backdoor.Win32.Small.os skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP886\A0149284.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP887\A0149451.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP888\A0149526.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP889\A0149565.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP891\A0149660.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP896\A0149944.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP905\A0153822.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP907\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\system32\perfc000.dat Infected: Backdoor.Win32.Small.os skipped

 

Scan process completed.

 

OTMoveIt

 

C:\WINDOWS\system32\perfc000.dat moved successfully.

File/Folder C:\WINDOWS\TGVlIENoaWFuZw not found.

C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe moved successfully.

 

Created on 06/21/2007 01:32:10

Edited by whodamanwerd

Share this post


Link to post
Share on other sites

ComboFix

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Joe Smith\Desktop\ComboFix.exe

"Joe Smith" - 2007-06-21 1:35:25 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\JOESMI~1\Desktop.\internet explorer.lnk

C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon

C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt

C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt

C:\WINDOWS\system32\drivers\fad.sys

C:\WINDOWS\system32\msxml3a.dll

C:\WINDOWS\system32\perfc000.dat

C:\WINDOWS\system32\sstem3~1

C:\WINDOWS\system32\wmvds32.dll

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CMDSERVICE

-------\LEGACY_NM

-------\LEGACY_NPF

-------\cmdService

-------\nm

 

 

((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))

 

 

2007-06-21 01:34 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-18 18:53 <DIR> d-------- C:\bintheredunthat

2007-06-18 18:16 <DIR> d-------- C:\BFU

2007-06-18 18:12 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys

2007-06-17 18:11 75,750 --a------ C:\WINDOWS\War3Unin.dat

2007-06-17 18:11 2,829 --a------ C:\WINDOWS\War3Unin.pif

2007-06-17 18:11 139,264 --a------ C:\WINDOWS\War3Unin.exe

2007-06-16 10:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan

2007-06-06 13:20 <DIR> d-------- C:\Program Files\Last.fm

2007-06-03 02:22 <DIR> d-------- C:\Program Files\Blocktrix

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-20 03:35:50 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\AdobeUM

2007-06-18 22:05:55 -------- d-----w C:\Program Files\ewido anti-spyware 4.0

2007-06-18 21:42:37 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\Azureus

2007-06-18 01:03:14 -------- d-----w C:\Program Files\Warcraft III

2007-06-17 22:06:52 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\Hamachi

2007-06-16 14:39:11 -------- d-----w C:\Program Files\QuickTime

2007-06-16 14:39:04 -------- d-----w C:\Program Files\NETGEAR WG311v2 Adapter

2007-06-16 14:28:51 -------- d-----w C:\Program Files\AIM

2007-06-16 14:28:01 -------- d-----w C:\Program Files\AC3Filter

2007-06-16 01:57:36 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-16 01:57:22 -------- d-----w C:\Program Files\FirstClass

2007-06-12 00:52:00 -------- d-----w C:\Program Files\Windows Media Connect 2

2007-06-12 00:51:56 -------- d-----w C:\Program Files\DivX

2007-06-12 00:51:53 -------- d-----w C:\Program Files\Clavis

2007-05-31 01:56:50 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\MSN6

2007-05-30 08:50:00 -------- d-----w C:\Program Files\NJStar Chinese WP

2007-05-28 15:41:53 -------- d-----w C:\Program Files\Movie Maker

2007-05-27 18:03:33 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-22 13:45:57 -------- d-----w C:\Program Files\MAIET

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-30 21:32:45 -------- d-----w C:\DOCUME~1\JOESMI~1\APPLIC~1\DivX

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-15 22:09:18 10,646 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2007-03-27 07:55:31 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-03 21:53]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-15 17:04]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 11:01]

"EPSON Stylus COLOR 480SXU"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.exe" [2001-09-13 14:53]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-21 01:50:19

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-21 1:53:38 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-21 01:53

 

--- E O F ---

Share this post


Link to post
Share on other sites

I overlooked something very important.

You appear to not be running either an antivirus program or a software firewall (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). That is an open invitation to infection these days. All you need to do to become infected is connect to the Internet. You don't even need to open a browser or actively access the Internet to become infected.

 

The first thing you should do at this point is to install an antivirus, update it, perform a full system scan, and remove anything found. If cost is an issue, try Avira AntiVir PersonalEdition Classic available at http://www.free-av.com, AVG Anti-Virus Free at http://free.grisoft.com/doc/2/lng/us/tpl/v5, or Free avast! 4 Home Edition at http://www.avast.com/eng/avast_4_home.html.

 

You should also install a software firewall. Two free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-software.com/Kerio.cfm and Zone Alarm from zonelabs.com http://www.zonelabs.com/store/content/comp...reeDownload.jsp. There is a tutorial on understanding firewalls at http://www.bleepingcomputer.com/forums/tutorial60.html.

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u1-windows-i586-p.exe that you downloaded to install the newest version.

After that, please post a new HijackThis log.

How is the system running now?

Share this post


Link to post
Share on other sites

Hello,

 

My computer seems to be running fine. The CPU usage problem has disappeared. The only difference I see now is that the computer takes a bit longer to load during start-up, but I'm just guessing that it's a result of installing a firewall / anti-virus.

 

Also, just wondering - which of the programs that I have installed for scanning can I now get rid of?

 

Thanks,

whodamanwerd

 

HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 8:00:54 PM, on 6/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Joe Smith\My Documents\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Edited by whodamanwerd

Share this post


Link to post
Share on other sites

Your HijackThis log looks fine. :thumbsup:

 

which of the programs that I have installed for scanning can I now get rid of?

Open OTMoveIt and click the CleanUp! button on top.

In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup along with backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.

The program needs to download the list of tools, so if your firewall says that OTMoveIt is attempting to access the Internet, you need to allow it.

Do not edit anything in that Window!

Don't worry if it displays some tools you didn't download/use.

Click Yes when it asks to Begin cleanup process.

Then reboot your computer when finished.

 

Create a Restore Point

  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Run Disk Cleanup

  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK

    [*]When Disk Cleanup opens, select the More Options tab

    [*]In the System Restore section (bottom of window), click Cleanup

    • In the confirmation window that opens, click Yes

    [*]Now click on the Disk Cleanup tab and select the following items:

    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files

    [*]Click OK

    [*]in the confirmation window, select Yes (Disk Cleanup will close).

There are several free utilities you can use to help keep malware off your system:

 

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/winhelp2002/hosts.htm.

 

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewarrior.com/uiuc/resource.htm.

 

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacoolsoftware.com/products.html.

 

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywareinfo.com/index.php?showtopic=60955

 

Does your problem appear resolved?

Share this post


Link to post
Share on other sites

Hey TheJoker,

 

My computer is running great! Everything seems to be working like it was before. Thanks for helping me clean up my system - it's been a while since I've done so. And thanks for all the programs.

 

- whodamanwerd

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0