• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
newsatten

SMARTSECURITY

13 posts in this topic

greetings.

 

desktop background has been taken over by SMARTSECURITY.

http://www.smart-security.info/main.html

hijacked desktop screen reads: "WARNING! You're In Danger!" etc.

 

i have been unsuccessful in attempts to remove infection via Ad-aware and Spybot-S&D.

at the time of infection, i was running AntiVir [http://www.free-av.com],

and, although it did not protect, it did provide the following information --

C:\WINDOWS\Hosts

The Trojan horse TR/StartPage.IG.1

 

additionally, Microsoft Internet Explorer Homepage has been hijacked to --

"C:\WINDOWS\secure.html"

and, computer has slowed considerably, showing 100% CPU Usage

while i am not even actively doing anything.

 

much kind thanks in advance for you help in this matter...

newsatten.

 

 

 

 

here is the HijackThis logfile --

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:54:58 PM, on 6/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\mstasks2.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RealUpdater.Exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast

O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

 

 

 

 

one final comment --

 

after infection occurred, first time i ran HijackThis, i deleted files ending in --

"Start Page = C:\WINDOWS\secure.html"

and

"Main,Default_Page_URL = C:\WINDOWS\secure.html"

however these files had returned upon subsequent HijackThis scan.

 

again, BIG THANKS for your help here...

newsatten.

Share this post


Link to post
Share on other sites

TheTechGuide Forum - smartsecurity

http://www.thetechguide.com/forum/index.php?showtopic=10600

 

one post notes that they [presumably SmartSecurity] say infection can be removed via --

"C:\desktop.exe /r"

though post then notes that this does not work.

 

another post notes

1. right-click on desktop [at the very top of monitor screen so as to circumvent the dead end effect of right-clicking directly on the SmartSecurity black desktop]

2. select "Properties" -- which brings up the "Display Properties" dialogue box

3. select "Desktop" tab

4. click "Customize Desktop..." button at lower left

5. select "Web" tab

6. uncheck the "Security" box located in the "Web pages:" field

SmartSecurity effectively takes its "Warning" Webpage and displays it on your desktop. [older versions of Microsoft Windows referred to this as "Active Desktop".] the six steps above remove this "Warning" Webpage from desktop.

this post concludes: "if anyone has anymore ideas, or questions, email freehlp@hawaii.com"

 

i myself ["newsatten"] highlighted/selected the "Security" item in the "Web pages:" field and deleted it via the "Delete" button at middle right.

 

 

however, Internet Explorer Homepage is still hijacked by "C:\WINDOWS\secure.html"

[if "Home" icon of IE is clicked on, adult site is brought up, even after just resetting "Homepage". i have attempted to clean out "Temporary Internet Files" folder several times though it continues to repopulate with unwanted items.

 

and, computer is running extremely slow -- CPU Usage is at 100% even without running any Applications. your attention to this would also be considerably appreciated.

 

again, kind thanks to your consideration here... very much thanks... i will definitely make donation to this website...

newsatten.

Share this post


Link to post
Share on other sites

You have a Coolwebsearch infection. Download and Run Cwshredder:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

When the program starts choose fix which is at the bottom right hand corner of the window. Let the shredder do its work.

 

Restart the computer and post a new log.

Share this post


Link to post
Share on other sites

greetings Archon Wing

and much thanks for your help thusfar...

this Coolwebsearch is some nasty stuff... amazing that its activity isnt illegal...?

HijackThis Logfile is at bottom following questions...

 

after running CWShredder per your instructions, computer was still running extremely slow...

i "determined" that is was "mstasks2.exe" slowing down system, using "99" CPU on "Processes" tab of "Windows Task Manager", so i selected "mstasks2.exe" and clicked "End Process" button...

i also deleted the

"O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u"

entry of HJT Logfile [and hopefully this was the correct thing to do]

though this item is still be listed below in HJT Logfile

[as i initially ran HJT scan and saved Logfile, then ran scan a second time and deleted it from this second scan... below is the first Logfile]

QUESTIONS:

1.) was this correct action to delete this line from HJT Logfile...?

2.) what does "mstasks2.exe" do that uses up so much CPU...?

3.) can this item still be lurking somewhere on computer...?

 

ADDITIONAL COMMENTS & QUESTIONS:

4.)

unwanted new search toolbar has been installed...

when i click "Go" button of this search toolbar,

"Status Bar" at bottom of window shows: "http://www.quickcrawler.com"

which then pulls up "http://search.startium.com"

[startium - Blazing Speed. No Ads. Start here http://www.startium.com/index.php]

how do i get rid of this search toolbar permanently...?

[i checked "Add or Remove Programs" in "Control Panel" and did not find anything that i thought might be it...? however, i do notice "Lycos", "ClockSync" and "Power Scan" folders in "Program Files" folder that i do not believe were previously there... all of these folders show zero objects except for the "Lycos" folder which contains a "Sidesearch" folder that also shows zero objects... thoughts...?]

5.)

when i attempt to log in [user name & password] to a website that i have subscription to, i get an Internet Explorer error message that says:

"Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

"Error report:" includes --

Error signature:

AppName: iexplore.exe

AppVer: 6.0.2800.1106

ModName: unknown

ModVer: 0.0.0.0

Offset: 6d5a6d5a

when i click "Don't Sent" Error Report button, IE window just closes... any ideas...?

6.)

any opinion on Antivir [http://www.free-av.com/]...?

7.)

is it necessary to use "Safe" mode for any of this entire disinfecting process...?

ive been reading many other posts on Spywareinfo...

specifically, two posts addressed by PGPhantom mention using "Safe" mode --

-- Windows XP running VERY slow100% CPU usage (From SWI Forums)

-- http://www.spywareinfoforum.com/index.php?act=ST&f=18&t=7198

-- and

-- CPU usage 100% anytime, wat's wrong??????? (From SWI Forums)

-- http://www.spywareinfoforum.com/index.php?act=ST&f=18&t=6609

8.)

would using a Proxy Server have prevented from getting this Coolwebsearch infection...? any suggestions of one, or would you not recommend using such...?

any merit to program "Anonymizer" [http://www.anonymizer.com/index.cgi]...?

9.)

is it possible that due to this Coolwebsearch infection another source currently has access to my computer and can "lift" password information and such...?

 

THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU!!!!!

i WILL make donation via Paypal to both this site and to merijn, though first want to clarify my question # 9 above...

again, VERY KIND THANKS... this site is a blessing...

newsatten...

 

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:06:07 PM, on 6/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\uptodate.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\mstasks2.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RealUpdater.Exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast

O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

Share this post


Link to post
Share on other sites

addendum to my previous message:

 

regarding the AppName of my comment/question # 5 --

did search for "iexplore"...

 

IEXPLORE [Application -- C:\Program Files\Internet Explorer]

iexplore [Compiled HTML Help file -- C:\WINDOWS\Help]

iexplore.chw [CHW File -- C:\WINDOWS\Help]

iexplore [Help File -- C:\WINDOWS\Help]

IEXPLORE.EXE-145A81D9.pf [PF File -- C:\WINDOWS\Prefetch]

IEXPLORE.EXE-27122324.pf [PF File -- C:\WINDOWS\Prefetch]

 

first PF File created two days ago at time of infection

second PF File created today an hour ago

 

?

thanks

Share this post


Link to post
Share on other sites

addendum to my previous two content messages:

 

 

several more "citings" per AntiVir [http://www.free-av.com/]:

 

 

C:\DOCUME~1\SCOTTZ~\LOCALS~1\TEMP\PS_INSTALL-MT.EXE

The Trojan horse TR/Scapur.A

 

C:\DOCUME~1\SCOTTZ~1\LOCALS~1\TEMP\PS_INSTALL-MT.EXE

The Trojan horse TR/Scapur.A

 

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B179B810-074F-4F76-B82B-07134571B4AE}\RP194\A0074617.EXE

The Trojan horse TR/Scapur.A

 

 

continuing much thanks...

newsatten.

Share this post


Link to post
Share on other sites

You can select the following entries listed below in Hijack This. Then, close all other windows besides Hijack This and click fix checked

Note: If something goes wrong you can undo the changes done by Hijack This. Go to the bottom right hand corner of Hijack This and click on config. Then choose backups.There you can reverse any changes you made.

 

O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll

-BrowserAid/FeaturedResults (MSIEFR40.DLL)

 

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll

 

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll

 

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

 

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain

 

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

 

O4 - HKCU\..\Run: [snls] C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe

 

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe

 

Unhide hidden files and folders. Check this out if you don't know how. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Restart the computer and delete if found:

C:\WINDOWS\uptodate.exe <<< FILE

C:\Documents and Settings\Scott Zimmerman\Application Data\atoo.exe <<< FILE

C:\WINDOWS\System32\wnsintsv.exe <<<< FILE

 

Post a new log when done.

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

Archon_Wing...

 

kind thanks for your help in particular and for this website... followed your HijackThis instructions... ran search for ".exe" files you listed and deleted related files... files did not end in ".exe" but were the same names etc... new HijackThis Logfile follows...

 

if it possible, i would really appreciate if you would email me and i will not take up much of your time... just had a few questions regarding antivirus software/programs and running scans that do not repair archive/archives files [files in archive/archives folders ?!]... i do not know if this request is against spywareinfo protocol [or even just in poor taste/bad manners]... if either is the case i certainly do apologize... i did read article/section on spywareinfo website regarding steps to take to prevent future infection, just have a few specific questions...

 

either way, i am very appreciative for your help thusfar and will make donations/contributions... also, if you care for a book/cd/whatever on Amazon, i will send to you...

 

cheers...

newsatten.

 

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:59:56 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RealUpdater.Exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Scott Zimmerman\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briefing.com/Platinum/InDepth/InPlay.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast

O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

one last thing... when i attempted to add this reply and click "Add Reply" button, Microsoft IE prompted error dialogue box that it need to shut down... anyway, perhaps just heavy internet traffic or should i be concerned...? so, i post this from another computer...

Share this post


Link to post
Share on other sites

If you have any other questions, I think you're better off posting it in this forum or ask in the chat room (Instructions found in my signatures). I'm not one to check email that often and believe it or not, I don't know everything. :rofl:

 

But, most virus scans have the option of enabling/disabling scanning archive files. That affects whether they get fixed or not.

 

Your log looks clean. Take care!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0