Jump to content


Photo

Spywareinfo blocked! Popups and IE blocking


  • Please log in to reply
13 replies to this topic

#1 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 01 May 2007 - 08:16 PM

Hi,
I have adverts popping up on my laptop whenever I use IE6 on my laptop.
I'm useing Windows XP

A sample of addy's as follows

hxxp://www.globe7.com/gg.php?refcode=PayPOP

hxxp://au.sso.dada.net/splash/specialoffer_au12.html

hxxp://serving.adsrevenue.clicksor.net/serving/links_net.php?t=network&pnid=2&npid=mediaplan&nsid=62655&sid=12826&pid=9874&ref=http%3A%2F%2Fgest.ivefound.com%2Fcont%2F_paypopup%2Fpop.htm&memkey=9adc82d55826fcefc17de8af0a09f802&qp=%60%5E%25%22.%FD%21%29%21%21%7D4%7E%21%28+%FE&sid=12826&pid=9874&status=&nid=2&durl=http%3A//popunder.adsrevenue.net/links.php%3Fdata%3DrSe_2%252F%25FE%252F2%25253+%252A%252F%2527%2524S%255C7bcNa%255BejKf+hsLa%255E24%257B.%252F%252A%2524%255Ea%255E2%252F%25FE%252F2%25253+%252A%252F%2527%26id%3Dmediaplan%26subid%3D62655%26tid%3D1178056252%26clater%3D%26m%3D75%26o%3D1%26c%3D1%26a%3D65535%26q%3D6%26s%3D%253C%253D%26ah%3D10%26al%3D0%26l%3Denglish%26campaign%3D%26rurl%3D%26serverfile%3Dpaypopup%26ref%3Dhttp%253A//gest.ivefound.com/cont/_paypopup/pop.htm%26os%3DW1%26bs%3DI2%26isframe%3Dfalse%26bk%3D1%26serverfile%3Dpopnetwork&bk=1

hxxp://www.partypoker.com/marketing/cm.htm?wm=2819465

hxxp://www.partypoker.com/

hxxp://www.888.com/?page=cash_stash?lang=en

hxxp://adfarm.mediaplex.com/ad/ck/48232?zz...lid=os&mpt=[CACHEBUSTER]

links disabled, do not post clickable bad links - because we don't want anyone to click them Edit - Sorry - End edit

Adfarm??? Do we have "legit" business's hiring out their services to hijack computers?

Mostly they're advertising online gambling with Party Poker being the most popular. Most of the addy's above come from pages that didn't open so they could be anything.

I've run Ad-aware, Ewido/AVG, Spybot S&D, Kaspersky and Hijack This with mixed success. Reports following.

The system only seems to be sluggish when it tries to load a page that isn't going to load. Otherwise there may be a little more "Program not responding" than usual. Entirely subjective however.

I don't understand these reports to be sure what I'm looking at.
Doubleclick
Netflame
Byteverify
Classloader
I see you've got some new pinned pages since I was here last so I'll go read'em and see what I can learn.

After running HJT, I fixed o17 which seemed to wipe my DNS server addy's. I couldn't connect to anything. After I rewrote them, I could get Google and most sites it found, but I couldn't access any sites in favourites.
So I googled spywareinfo but it wouldn't open on the laptop. Though it would open when I did the same on the desktop which isn't infected. So your site wasn't down. It was in my machine.

That was yesterday. Today nothing will open in IE or Mozilla and o17 in the HJT report has re-established itself. And Window Washer has a pop-up saying internal error, consult wash log and to contact Web Root???

So I can no longer access this site through my computer.

Thanks in advance for any help you can give. :love:

(EDIT -

Seek and ye shall find. Just finished the HJT tutorial and realised the IP in o17 is my addy. Duuhhh! Explains a bit.

What is worrying is while there's a few things I don't want, there isn't anything leaping out as a trojan. These two I can't find.
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
Reg Tool kit is in Program files where it should be and not in sys32 where the trojan usually is and the other one looks for all the world like it came from LG.
Question? Why can't either be found in any of the three Startup search tools offered in the HJT tutorial?????

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
What's this?? Is this MSoft research? Spyware?

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Anything to do with MS messenger I'm happy to lose.

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100

F secure dot com is a site I've never seen before - have you heard of it?
Content watch dot com, same story. Net Nanny.
Secure log me in has probably come thru any number of sites that require login.
-END EDIT)

Here's the reports.

Logfile of HijackThis v1.99.1
Scan saved at 16:44, on 07-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MP3 CD Extractor\CD-Extractor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bryans\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MP3 CD Extractor] "C:\Program Files\MP3 CD Extractor\CD-Extractor.exe" hmw
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Bryans"
O4 - Startup: Show Zoho CRM.lnk = C:\AdventNet\ZohoCRM\bin\zohocrm_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://flex.afgonline.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://flex.afgonlin.../siebelhtml.cab
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://flex.afgonlin...lOptionPack.cab
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://flex.afgonlin...tMailClient.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: NameServer = 192.168.0.1,192.189.54.33
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Bryans\Cookies\bryans@doubleclick[1].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Bryans\Cookies\bryans@ehg-kasperskylab.hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Bryans\Cookies\bryans@hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Bryans\Cookies\bryans@ssl-hints.netflame[1].txt
Risk: Medium

Name: Not-A-Virus.Exploit.ByteVerify
Path: C:\Documents and Settings\Bryans\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-4e6d4599.zip/Gummy.class
Risk: Low

Name: Trojan.ClassLoader.k
Path: C:\Documents and Settings\Bryans\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-4e6d4599.zip/Beyond.class
Risk: High


KASPERSKY ONLINE SCANNER REPORT
07-04-30 14:09
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 30/04/2007
Kaspersky Anti-Virus database records: 307356


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 48268
Number of viruses found 1
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:46:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-30_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\Bryan Scandrett\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped

C:\Documents and Settings\Bryans\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-4e6d4599.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped

C:\Documents and Settings\Bryans\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-4e6d4599.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Bryans\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\Microsoft\Business Contact Manager\BusinessContactManager.ldf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\Microsoft\Business Contact Manager\BusinessContactManager.mdf Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\History\History.IE5\MSHist012007043020070501\index.dat Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Temp\IDSinst.LOG Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Temp\~DF94E3.tmp Object is locked skipped

C:\Documents and Settings\Bryans\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Bryans\ntuser.dat Object is locked skipped

C:\Documents and Settings\Bryans\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\bryanscrm\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\bryanscrm\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Fiona Scandrett\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\postgres\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\postgres\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\postgres.OFFICE\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP537\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_258.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_c0.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by Bryan2, 02 May 2007 - 08:55 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,521 posts

Posted 04 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 06 May 2007 - 09:02 AM

Hi Bryan2, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

I don't see anything suspicious in your log, so we will have to hunt for it.

Your scan showed one of more viruses in your Sun Java Runtime Environment (JRE) cache. Delete those by clearing the JRE cache.
To clear the Java Runtime Environment (JRE) cache:
  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel.
    -The Java Control Panel appears.
  • Click Settings under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click OK on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
  • Close the Java Control Panel
You can view those instructions along with graphics Here

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your installed version of Ewido Anti-Virus is outdated. The current version is named AVG Anti-Spyware. I recommend you uninstall the old version, and install the current version. All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free. You can find more information here:
http://www.ewido.net/en/download/

After you uninstall the outdated version, download AVG Anti-Spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update".
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • Run a complete system scan with AVG Anti-Spyware.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.techsuppo...Bs/ComboFix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don't click on the ComboFix window while its running; that could cause it to stall.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe that you downloaded to install the newest version.
Please post a new HijackThis log, the log from AVG Anti-Spyware, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 07 May 2007 - 06:52 PM

Hi Joker,

"Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers"

Please don't mention the wait, you guys have nothing to apologise for. I'd be here a lot longer without you.
Thanks a million.

Having a bit of trouble carrying out your instructions I'm afraid.

I'm posting on the desk top as it's the laptop that's infected and my browsers aren't functioning properly.
I'm getting "Server not found" or "Page cannot be displayed" mesages when trying to connect to some pages.
It's a sometimely thing in that I get my home page, Google, but then can't get the links to open. Some times I can and sometimes I can't.
In cases where I get on to a page such as Sun Java, I'll get as far as the download button and the download window won't open. It seems that all downloads definately won't open.
I had a popup from Mozilla advising of an update but it wouldn't open either.
When I open the wireless network properties and go to IP properties, all the IP addy's are there and correct.

Google opens on the home page AFTER cleaning the cache so it's reloading off the net.

In your instructions, I'm up to Installing AVG antispyware. I can't load that or the latest version of combofix or update Java. Ewido is uninstalled.
I have ComboFix V6.9.21.0 already installed so I'll give you a log for that.

I also have AVG Anti-Virus Free edition running. Closing the control centre doesn't seem to help the browser problem. I ran a manual test from that but it reported no threats found. Short of a print screen image, I have no idea how to get a log out of it to post for you.

Any ideas on what to do?

Thanks, Bryan
PS, What does "Warn 0%" mean?

(EDIT)
By using a shared folder I got AVG Anti spyware AND ComboFix (latest version) loaded and run on the LT.
The logs are posted in a second reply. AVG found nothing again.
I'm now going to try and get Java across.
(END EDIT)

(SECOND EDIT)
That was easy. Java reloaded. HJT and AVG in this post. ComboFix log in a second post.
Still can't open SWI forums on LT in IE or Mozilla
(END EDIT)




AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:22 07-05-08

+ Scan result:



Nothing found.


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 13:20, on 07-05-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MP3 CD Extractor\CD-Extractor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Bryans\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MP3 CD Extractor] "C:\Program Files\MP3 CD Extractor\CD-Extractor.exe" hmw
O4 - Startup: Show Zoho CRM.lnk = C:\AdventNet\ZohoCRM\bin\zohocrm_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://flex.afgonline.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://flex.afgonlin.../siebelhtml.cab
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://flex.afgonlin...lOptionPack.cab
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://flex.afgonlin...tMailClient.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: NameServer = 192.168.54.1,192.189.54.33
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Edited by Bryan2, 07 May 2007 - 10:26 PM.


#5 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 07 May 2007 - 10:28 PM

Hi Joker

Here's the ComboFix Log.


"Bryans" - 2007-05-08 12:40:11 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Bryans\My Documents\Backup folder\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\nm
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-08 11:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-23 16:55 <DIR> d-------- C:\Program Files\B-Free
2007-04-14 10:01 36 --a------ C:\WINDOWS\system32\mce.dat
2007-04-14 10:01 <DIR> d-------- C:\Program Files\MP3 CD Extractor
2007-04-14 10:01 <DIR> d-------- C:\cd_extract
2007-04-10 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-10 10:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-10 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 21:10:20 -------- d-----w C:\Program Files\DynDNS Updater
2007-05-07 21:09:43 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-04-23 06:55:40 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-13 01:27:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-13 01:27:07 -------- d-----w C:\DOCUME~1\Bryans\APPLIC~1.\Symantec
2007-04-13 01:13:34 -------- d-----w C:\Program Files\Symantec
2007-04-03 04:23:25 -------- d-----w C:\Program Files\Destiny FinSoft
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 01:06:56 -------- d-----w C:\Program Files\Winamp
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Registry Toolkit"="C:\\Program Files\\Registry Toolkit\\RegToolkit.exe /scan"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IPO3"="\"C:\\Program Files\\LG Software\\IP Operator 2005\\IP Operator 2005.exe\" -aUtOsTaRtFrOmReG"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"MP3 CD Extractor"="\"C:\\Program Files\\MP3 CD Extractor\\CD-Extractor.exe\" hmw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="C:\WINDOWS\system32\bmpsap.dll"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{97f70dd8-9848-11da-b6ab-00e09109ac31}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, [http://www.gmer.net]
Rootkit scan 2007-05-08 12:47:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 12:53:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 12:53
C:\ComboFix2.txt ... 2007-05-08 09:59
C:\ComboFix3.txt ... 2006-09-22 17:57

Edited by Bryan2, 08 May 2007 - 09:39 AM.


#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 09 May 2007 - 08:39 PM

PS, What does "Warn 0%" mean?

It means you've been good :)
That shows that you've not been issued any "warnings" in the forum.

Download HostsXpert from here: http://www.funkytoad.../HostsXpert.zip
Extract the file HostsXpert.exe to your Desktop and run it.
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

See if this fixes the problem downloading
  • Open Internet Explorer. On the Tools menu, click Internet Options.
  • On the General tab, under Temporary Internet files, click Delete Files.
  • In the Delete Files dialog box that appears, click OK.
  • Under History, click Clear History.
  • In the dialog box that appears, click OK.
  • Quit Internet Explorer.
Open HijackThis:
  • click the 'Open the Misc Tools section' button.
  • Click the 'Delete a file on reboot...' button.
  • In the window that opens, copy and paste the text below in the 'File name' field:
    C:\Documents and Settings\Bryans\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • Click the 'Open' button.
  • HijackThis will tell you that this file will be deleted when the system restarts and ask if you want to restart your system now.
  • Click Yes.
  • Your system should reboot now.
  • If your system does not automatically reboot, restart your system manually.
See if you can run the following online scanner, not sure if you will be able to because of your download problem.
Run Panda's online virus scan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Please post a new HijackThis log, and the log from Panda's ActiveScan.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 May 2007 - 09:23 AM

Hi Joker,

See if this fixes the problem downloading

.

No, it did not fix it the download problem :techsupport:

What's happening is as follows.

Google "Merjin"

Hold the cursor over the link - down the bottom reads "www.merjin.net/"
The moment I click the link a pile of other text is added to the address, but it's often hidden and only flashes up too fast to read.
What I can see is "www.merjin.net/...."
I'm being redirected to nowhere as after 15 secs I'll get a page not found.

Hmmmm? :hmmm: Contradictions.
Google "ewido"
Get on to the site AND the download works!
Didn't do that the other day.

Try funkytoad.co... Page not found.

Machine rebooted OK after HJT effort. Man, do I like that button. :D Power over a dat file!

However something of a disaster has struck.
I copied your post to word and saved it to the shared folder on the desk top to try clicking on the Panda link.
As soon as the laptop rebooted I clicked on fserve, the shared folder, to open the copy of you post.
I got a dialog box telling me the folder didn't exist any more and it promtly disappeared from the directory tree. :rofl:

Now there is no way to get anything onto or off the LT.
Any ideas on why it would do that and how can I restore it? I need it to get the logs to you thru the DT.

I know I have a suspicious mind but it's as if someone has a back door into this system and wiped my shared folder to stop me tampering with their payload.

Panda seems to claim to be able to dig up some types of root kits. I ran it on my desktop, and it claimed 63 spyware detected and 1 hacking tool or rootkit.
The DT has never shown any problems what-so-ever though my girls play a lot of kids sites such as sesame street on it. I don't let them on my LT to try and keep the infections off it. Do I need a new strategy!

What to do?
I need to restore the shared folder on the LT. It still exists on the DT.
Should I start posting logs from the DT here or start a new post from scratch? Should I go run the basics, Adaware S&D etc or should I leave alone until the LT is fixed?

That sounds like a plan. If both machines stop emailing and downloading, I'll really be stuffed. :wtf:

Cheers Bryan :thumbsup:

#8 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 10 May 2007 - 09:08 PM

Not sure what happened, but try this.
In Windows Explorer, click on Tools > Map Network Drive.
Try to select the drive letter you had before, is the drive and folder showing (sometimes the previous share will still show)? If it is, select it, place a checkmark in "Reconnect at logon", and click finish.

If you don't see it there, click the Browse button and try to locate it to map it.

Let's see if you can download this scanner.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Should I start posting logs from the DT here or start a new post from scratch? Should I go run the basics, Adaware S&D etc or should I leave alone until the LT is fixed?

Start a new topic for that system, run Adaware and Spybot Search & Destroy on it (since you mentioned them I assume you have them), delete anything they find, and in that topic post a HijackThis log, and the log from Panda's ActiveScan if you saved it. Once you do that, please post a link to the topic in here.

Please post a new HijackThis log, and the log from Dr.Web CureIt.
How did you make out trying to reconnect the shared folder?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#9 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 May 2007 - 04:05 AM

Hi Joker,

Nothing is happening until I get that shared folder back. I'll need to talk to my tech help as he created it and he should be able to talk me thru re-creating it. It's 7.00pm Friday night here so naught will happen til Monday now.

I'll post you with what I have when I have it.

Until then, deepest gratitude for all you do, have a sizzling weekend and we'll talk next week.

Bryan :wave:

#10 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 11 May 2007 - 05:06 AM

Do you have a CD Writer? You can always download Dr.Web CureIt on your Desktop, burn it to CD-R, and transfer it to the laptop that way (if it has a CD reader), and for the logs, you can transfer them via floppy.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#11 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 May 2007 - 09:18 PM

Hi Joker,

Do you have a CD Writer? You can always download Dr.Web CureIt on your Desktop, burn it to CD-R, and transfer it to the laptop that way (if it has a CD reader), and for the logs, you can transfer them via floppy.

No, the writer is in the LT, I didn't get one in the DT, thought it supurflous. :dumb:
No matter now as the shared folder is fixed. :whistle:

I can't run Panda as it's online. Dr Web log is posted. Not sure if those items should be quarantined. Can I gett'em back out if necessary? I don't know if The files in the Apply On Line folder are good or bad but Apply On Line is critical.

I've also posted a HJT log after the reboot. Still getting 'Server not found' messages in both IE & Mozilla but I have't sen a party poker pop up in a while.

DrWeb Cureit log

cd-extractor.exe;c:\program files\mp3 cd extractor;Probably DLOADER.Trojan;Incurable.Will be moved after reboot.;
HostsXpert.exe;C:\Documents and Settings\Bryans\Desktop;Probably WIN.WORM.Virus;;
HostsXpert.exe;C:\Documents and Settings\Bryans\Desktop\HostsXpert\HostsXpert;Probably WIN.WORM.Virus;Incurable.Moved.;
CD-Extractor.exe;C:\Program Files\MP3 CD Extractor;Probably DLOADER.Trojan;Incurable.Moved.;
PrintDoc.#s;C:\sea752\nextgen\ApplyOnlineMobile;Probably SCRIPT.Virus;Incurable.Moved.;
PrintDoc.js;C:\sea752\nextgen\ApplyOnlineMobile;Probably SCRIPT.Virus;Incurable.Moved.;




HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:06, on 07-05-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Bryans\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Show Zoho CRM.lnk = C:\AdventNet\ZohoCRM\bin\zohocrm_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://flex.afgonline.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://flex.afgonlin.../siebelhtml.cab
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://flex.afgonlin...lOptionPack.cab
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://flex.afgonlin...tMailClient.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: NameServer = 192.168.54.1,192.189.54.33
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


Thanks Bryan :wave:

#12 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 13 May 2007 - 10:00 PM

The Backups from Dr.Web CureIt are in %userprofile%\DoctorWeb\quarantaine

So move HostsXpert.exe from C:\Documents and Settings\Bryans\DoctorWeb\quarantaine back to C:\Documents and Settings\Bryans\Desktop\HostsXpert\HostsXpert

Please go to VirusTotal and submit the following files for a scan:
C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\CD-Extractor.exe
C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\PrintDoc.#s
C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\PrintDoc.js

If there was nothing detected, move the files back to:
C:\Program Files\MP3 CD Extractor
C:\sea752\nextgen\ApplyOnlineMobile

If any of the scanners detected something, leave the file where it is and post the entire log from VirusTotal for that file.

Why do you run DynDNS Updater?

Go to Control Panel > Network Connections > Local Area Connection, and click the Properties button.
In the window that opens, left click on Internet Protocol (TCP/IP) to select it, and click the Properties button.

Which is checked?
Obtain an IP address automatically
Use the following IP address

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#13 Bryan2

Bryan2

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 14 May 2007 - 01:54 AM

Why do you run DynDNS Updater?


Don't entirely understand why. Something to do with cable supplier has some sort of relationship with the modem so they can find each other. I'll see if I can get a better answer for you.

When I go to Network connections - LAN connection - IP properties, automatic is selected probably because I use a wireless network for the LT.

If I go to Network connections - wireless network connections - properties - Internet protocol - properties, then "Use the following IP addy" is selected. Under that is "Use the following DNS server addy" which has the same numbers as 017 in the HJT log.

ON VirusTotal, Dr Web and one other registered as suspicious for each file, eSafe and Web Washer.

I've simply copied and pasted these logs as I can't work out how to save a report from VT.
Let me know if that's not what you need.

Virustotal "Logs"

STATUS: FINISHED
Complete scanning result of "PrintDoc._s", received in VirusTotal at 05.14.2007, 06:27:56 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.14.2007 no virus found
AntiVir 7.4.0.15 05.13.2007 no virus found
Authentium 4.93.8 05.12.2007 no virus found
Avast 4.7.997.0 05.13.2007 no virus found
AVG 7.5.0.467 05.13.2007 no virus found
BitDefender 7.2 05.14.2007 no virus found
CAT-QuickHeal 9.00 05.12.2007 no virus found
ClamAV devel-20070416 05.14.2007 no virus found
DrWeb 4.33 05.13.2007 SCRIPT.Virus
eSafe 7.0.15.0 05.13.2007 no virus found
eTrust-Vet 30.7.3628 05.11.2007 no virus found
Ewido 4.0 05.13.2007 no virus found
FileAdvisor 1 05.14.2007 no virus found
Fortinet 2.85.0.0 05.14.2007 no virus found
F-Prot 4.3.2.48 05.12.2007 no virus found
F-Secure 6.70.13030.0 05.14.2007 no virus found
Ikarus T3.1.1.7 05.13.2007 no virus found
Kaspersky 4.0.2.24 05.14.2007 no virus found
McAfee 5029 05.11.2007 no virus found
Microsoft 1.2503 05.14.2007 no virus found
NOD32v2 2263 05.14.2007 no virus found
Norman 5.80.02 05.11.2007 no virus found
Panda 9.0.0.4 05.13.2007 no virus found
Prevx1 V2 05.14.2007 no virus found
Sophos 4.17.0 05.11.2007 no virus found
Sunbelt 2.2.907.0 05.12.2007 no virus found
Symantec 10 05.14.2007 no virus found
TheHacker 6.1.6.114 05.12.2007 no virus found
VBA32 3.12.0 05.13.2007 no virus found
VirusBuster 4.3.7:9 05.13.2007 no virus found
Webwasher-Gateway 6.0.1 05.14.2007 VBScript.Vulnerable.gen!Medium (suspicious)

Aditional Information
File size: 25130 bytes
MD5: e74ac433b359dc6962870d36a8acb8fe
SHA1: 69eaaa61e172bf352d2e0b30fda60141942e6bf3


STATUS: FINISHED
Complete scanning result of "PrintDoc.js", received in VirusTotal at 05.14.2007, 06:34:06 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.14.2007 no virus found
AntiVir 7.4.0.15 05.13.2007 no virus found
Authentium 4.93.8 05.12.2007 no virus found
Avast 4.7.997.0 05.13.2007 no virus found
AVG 7.5.0.467 05.13.2007 no virus found
BitDefender 7.2 05.14.2007 no virus found
CAT-QuickHeal 9.00 05.12.2007 no virus found
ClamAV devel-20070416 05.14.2007 no virus found
DrWeb 4.33 05.13.2007 SCRIPT.Virus
eSafe 7.0.15.0 05.13.2007 no virus found
eTrust-Vet 30.7.3628 05.11.2007 no virus found
Ewido 4.0 05.13.2007 no virus found
FileAdvisor 1 05.14.2007 no virus found
Fortinet 2.85.0.0 05.14.2007 no virus found
F-Prot 4.3.2.48 05.12.2007 no virus found
F-Secure 6.70.13030.0 05.14.2007 no virus found
Ikarus T3.1.1.7 05.13.2007 no virus found
Kaspersky 4.0.2.24 05.14.2007 no virus found
McAfee 5029 05.11.2007 no virus found
Microsoft 1.2503 05.14.2007 no virus found
NOD32v2 2263 05.14.2007 no virus found
Norman 5.80.02 05.11.2007 no virus found
Panda 9.0.0.4 05.13.2007 no virus found
Prevx1 V2 05.14.2007 no virus found
Sophos 4.17.0 05.11.2007 no virus found
Sunbelt 2.2.907.0 05.12.2007 no virus found
Symantec 10 05.14.2007 no virus found
TheHacker 6.1.6.114 05.12.2007 no virus found
VBA32 3.12.0 05.13.2007 no virus found
VirusBuster 4.3.7:9 05.13.2007 no virus found
Webwasher-Gateway 6.0.1 05.14.2007 JavaScript.Vulnerable.gen!High (suspicious)


Aditional Information
File size: 25130 bytes
MD5: e74ac433b359dc6962870d36a8acb8fe
SHA1: 69eaaa61e172bf352d2e0b30fda60141942e6bf3



STATUS: FINISHED
Complete scanning result of "CD-Extracto0.exe", received in VirusTotal at 05.14.2007, 07:51:17 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.14.2007 no virus found
AntiVir 7.4.0.15 05.13.2007 no virus found
Authentium 4.93.8 05.12.2007 no virus found
Avast 4.7.997.0 05.13.2007 no virus found
AVG 7.5.0.467 05.13.2007 no virus found
BitDefender 7.2 05.14.2007 no virus found
CAT-QuickHeal 9.00 05.14.2007 no virus found
ClamAV devel-20070416 05.14.2007 no virus found
DrWeb 4.33 05.13.2007 DLOADER.Trojan
eSafe 7.0.15.0 05.13.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3628 05.11.2007 no virus found
Ewido 4.0 05.13.2007 no virus found
FileAdvisor 1 05.14.2007 no virus found
Fortinet 2.85.0.0 05.14.2007 no virus found
F-Prot 4.3.2.48 05.12.2007 no virus found
F-Secure 6.70.13030.0 05.14.2007 no virus found
Ikarus T3.1.1.7 05.14.2007 no virus found
Kaspersky 4.0.2.24 05.14.2007 no virus found
McAfee 5029 05.11.2007 no virus found
Microsoft 1.2503 05.14.2007 no virus found
NOD32v2 2263 05.14.2007 no virus found
Norman 5.80.02 05.11.2007 no virus found
Panda 9.0.0.4 05.13.2007 no virus found
Prevx1 V2 05.14.2007 no virus found
Sophos 4.17.0 05.11.2007 no virus found
Sunbelt 2.2.907.0 05.12.2007 no virus found
Symantec 10 05.14.2007 no virus found
TheHacker 6.1.6.114 05.12.2007 no virus found
VBA32 3.12.0 05.13.2007 no virus found
VirusBuster 4.3.7:9 05.13.2007 no virus found
Webwasher-Gateway 6.0.1 05.14.2007 no virus found



Aditional Information
File size: 437248 bytes
MD5: 01d5bee1d54cb91ce180948efede528f
SHA1: 7c74c08ed735f2d7e14c6c6a98c8193edaefef0c
packers: UPX
packers: UPX
packers: UPX

#14 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 May 2007 - 05:07 AM

I think it's safe to move the files back to the original folder:

Move C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\CD-Extractor.exe
to C:\Program Files\MP3 CD Extractor
It looks like Dr.Web CureIt tried to save it twice, you can then delete C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\CD-Extracto0.exe

Move C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\PrintDoc.#s
C:\Documents and Settings\Bryans\DoctorWeb\quarantaine\PrintDoc.js
to C:\sea752\nextgen\ApplyOnlineMobile

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button