Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Not 100% sure what is wrong

This is a discussion on Not 100% sure what is wrong within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Here is my HJT log. I'm sure you can notice the multiple instances of iexplore.exe open, even though i haven't


 
 
Thread Tools Search this Thread
Old 01-18-2007, 06:50 AM   #1
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP



Here is my HJT log. I'm sure you can notice the multiple instances of iexplore.exe open, even though i haven't used IE in months since switching to firefox. Since i've noticed this error, several things have gone wrong including a complete wipe of my internet bookmarks, and my web browser settings (location of certain and extra buttons moving/being removed). Not sure if they are related at all.

Logfile of HijackThis v1.99.1
Scan saved at 12:18:27 AM, on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: 65.54.239.80 messenger.hotmail.com
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Simcast] C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CoalHeart] C:\DOCUME~1\AFRODU~1\APPLIC~1\AIMMAT~1\Holdopen.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

__________________
Afro_dud is offline  
Old 01-18-2007, 08:26 AM   #2
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


Hello Afro_dud and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

(Alternate Link if main link doesn't work - http://www.greyknight17.com/spy/CleanUp.exe )

--------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Messenger Plus! 3. This program is known to install the malware that you have, a LOP infection. If the program is a must have, reinstall it and decline when asked to install the sponsor's software

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O4 - HKCU\..\Run: [CoalHeart] C:\DOCUME~1\AFRODU~1\APPLIC~1\AIMMAT~1\Holdopen.exe


Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folders if they still exist.

C:\Documents and Settings\AFRODU~1\Application Data\AIMMAT~1 <--This is a folder beginning with these 6 letters.
C:\Program Files\Messenger Plus! 3


--------------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


--------------------------------------------------------------------

Download fl.zip
  • Extract the contents of the fl.zip to a new folder on Desktop.
  • Within the folder, locate & double-click fl.bat.
  • It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply
--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
findlop.txt
New HijackThis log

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-18-2007, 07:28 PM   #3
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:20:34 AM 19/01/2007

+ Scan result:

HKU\S-1-5-21-1220945662-963894560-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{93CECBB2-6B1B-448D-91B9-72604EF70105} -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP821\A0149194.exe -> Adware.Chiem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP901\A0164271.exe -> Adware.Chiem : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP901\A0164273.dll -> Adware.Chiem : Cleaned with backup (quarantined).
C:\WINDOWS\system32\navshext1.dll -> Adware.Chiem : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\CMESys.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\CMEUpd.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GFormCTM.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GStore.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GSvcMgr.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\CMEII\GSvcSAP.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\EGIEProcess.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\EGNSEngine.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\GUninstaller.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Common Files\GMT\egIEEngine.dll -> Adware.Gator : Cleaned with backup (quarantined).
HKU\S-1-5-21-1220945662-963894560-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP884\A0156871.exe/1 -> Adware.IMAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\WINDOWS\pxwma.dll -> Adware.Webdir : Cleaned with backup (quarantined).
C:\Program Files\MediaGateway\Updater.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe -> Backdoor.Virkel.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Afro dud\My Documents\New Folder\StyleXP.v2.15.Male+Female.Incl.Keygen-ECLiPSE.zip/eclsxp15.exe -> Dropper.Delf.fd : Cleaned with backup (quarantined).
C:\SIERRA\Utility Installers\gpl12_uk.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP901\A0164270.exe -> Worm.Chiem.a : Cleaned with backup (quarantined).


::Report end



Incident Status Location

Adware:adware/block-checker Not disinfected c:\windows\system32\ustart.exe
Adware:adware/gator Not disinfected c:\program files\common files\CMEII
Adware:adware/wupd Not disinfected c:\program files\MediaGateway
Adware:adware/ist.istbar Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Spyware/7r7t Not disinfected C:\Program Files\Ideazon\Zboard Software\Driver\KUpdate.exe
Hacktool:HackTool/Flood Not disinfected D:\mods\lfs\LFSJoin.zip[nHTMLn_2.92.dll]
Adware:Adware/VideoActiveXObject Not disinfected D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip[run.exe]


Volume in drive C has no label.
Volume Serial Number is D401-B42F

Directory of C:\Documents and Settings\Afro dud\Application Data

24/10/2004 06:15 PM <DIR> .BitTornado
26/11/2006 10:03 AM <DIR> acccore
03/01/2007 01:18 PM <DIR> Adobe
14/01/2007 12:22 AM <DIR> AdobeUM
09/02/2005 03:43 PM <DIR> Ahead
30/11/2005 08:24 AM <DIR> Apple Computer
12/07/2006 01:41 AM <DIR> atitray
26/10/2005 11:46 AM <DIR> AVG7
14/01/2007 10:53 PM <DIR> Azureus
04/07/2006 05:47 PM 125,982 Cosmos Prefs
02/02/2006 04:33 PM <DIR> Creative
17/01/2005 03:25 PM <DIR> CyberLink
05/10/2006 11:39 PM <DIR> DivX
16/07/2005 09:46 PM <DIR> Google
27/10/2004 12:03 AM <DIR> Help
14/08/2005 07:26 PM <DIR> Hewlett-Packard
10/02/2006 05:18 PM <DIR> Ideazon
17/10/2004 03:23 PM <DIR> Identities
05/02/2006 12:28 AM <DIR> last.fm
17/06/2005 01:03 AM <DIR> Lavasoft
14/08/2006 09:39 PM <DIR> Macromedia
19/10/2004 12:25 AM <DIR> Microsoft Web Folders
17/10/2004 04:05 PM <DIR> Mozilla
18/02/2005 07:13 PM <DIR> Real
01/11/2006 02:44 PM <DIR> SmartFTP
07/01/2007 03:15 PM <DIR> SolSuite
21/01/2005 07:33 PM <DIR> Sun
23/03/2005 12:20 AM <DIR> Symantec
17/10/2004 04:05 PM <DIR> Talkback
26/10/2006 02:07 PM <DIR> teamspeak2
12/10/2005 04:46 PM <DIR> THQ
04/10/2006 12:42 PM <DIR> Ventrilo
05/07/2006 04:36 PM <DIR> XTND_BTUIObjects
16/03/2005 11:30 PM <DIR> Yahoo! Messenger
1 File(s) 125,982 bytes
33 Dir(s) 16,867,807,232 bytes free
Volume in drive C has no label.
Volume Serial Number is D401-B42F

Directory of C:\Documents and Settings\All Users\Application Data

03/01/2007 01:19 PM <DIR> Adobe
26/11/2006 09:59 AM <DIR> AOL
26/11/2006 09:58 AM <DIR> AOL Downloads
26/11/2006 09:59 AM <DIR> AOL OCP
26/05/2006 08:57 PM <DIR> Apple Computer
30/05/2005 06:23 PM <DIR> Autodesk
18/01/2007 09:40 PM <DIR> AVG7
20/10/2006 06:23 PM <DIR> Bluetooth
17/01/2005 03:24 PM <DIR> CyberLink
19/09/2006 09:53 PM <DIR> DVD Shrink
28/01/2005 06:28 PM <DIR> Grisoft
02/09/2005 09:24 AM 3,059 hpzinstall.log
16/06/2005 05:44 PM <DIR> Macrovision
12/10/2005 08:55 PM <DIR> Messenger Plus!
11/11/2006 07:13 AM <DIR> NFS Underground
18/10/2004 09:10 PM <DIR> Oberon Media
19/03/2006 12:18 AM 1,364 QTSBandwidthCache
05/12/2004 10:18 PM <DIR> QuickTime
19/10/2004 12:36 AM <DIR> SBT
08/12/2005 11:52 AM <DIR> Symantec
07/01/2007 03:06 PM <DIR> TreeCardGames
21/10/2006 11:24 AM <DIR> Trymedia
06/01/2005 12:05 AM <DIR> Viewpoint
16/05/2006 09:22 AM <DIR> Windows Genuine Advantage
2 File(s) 4,423 bytes
22 Dir(s) 16,867,807,232 bytes free
Volume in drive C has no label.
Volume Serial Number is D401-B42F

Directory of C:\Documents and Settings\Default User\Application Data

17/10/2004 11:48 PM <DIR> .
17/10/2004 11:48 PM <DIR> ..
17/10/2004 11:48 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 16,867,807,232 bytes free
Volume in drive C has no label.
Volume Serial Number is D401-B42F

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is D401-B42F

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'FRU Task #Hewlett-Packard#hp psc 1200 series#1125615437
.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe'
Parameters: '-I "#Hewlett-Packard#hp psc 1200 series#1125615437"'
WorkingDirectory: ''
Comment: ''
Creator: 'Afro dud'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 01/20/2007 8:29:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 1
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/02/2005
EndDate: 00/00/0000
StartTime: 08:29
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Logfile of HijackThis v1.99.1
Scan saved at 12:57:35 PM, on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: 65.54.239.80 messenger.hotmail.com
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Simcast] C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
__________________
Afro_dud is offline  
Old 01-19-2007, 07:10 PM   #4
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


Hello,

We have a bit more to do.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:

http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

--------------------------------------------------------------------

Download Blockrem from HERE
  • Unzip it to its own folder on your desktop.
  • Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu.
    From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter.
  • Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.
  • Once it is running please follow the onscreen instructions.
--------------------------------------------------------------------

Navigate to and delete the following file and folder: (If they still exist)

c:\windows\system32\ ustart.exe
D:\mods\ lfs


--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

I'd like to see what the other scanners have to say about this:

Upload this file C:\Program Files\Ideazon\Zboard Software\Driver\KUpdate.exe to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

--------------------------------------------------------------------

Please run another online scan at Panda and save the results.

--------------------------------------------------------------------

Please include the following in your next reply:

Jotti results
Panda scan
New HijackThis log
Update on system behavior
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-20-2007, 06:36 AM   #5
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


I could not find the file ustart.exe to remove (even after allowing viewing of hidden files) yet it still appeared on the Panda scan

Service
Service load:
0% 100%
File: KUpdate.exe
Status: OK
MD5 3249b0aa331b6bede42a91c5a09f2fc4
Packers detected: -
Scanner results
Scan taken on 20 Jan 2007 10:41:59 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Incident Status Location

Adware:adware/block-checker Not disinfected c:\windows\system32\ustart.exe
Adware:adware/gator Not disinfected c:\program files\common files\CMEII
Adware:adware/wupd Not disinfected c:\program files\MediaGateway
Adware:adware/ist.istbar Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Spyware/7r7t Not disinfected C:\Program Files\Ideazon\Zboard Software\Driver\KUpdate.exe
Adware:Adware/VideoActiveXObject Not disinfected D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip[run.exe]

Logfile of HijackThis v1.99.1
Scan saved at 12:05:17 AM, on 21/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: 65.54.239.80 messenger.hotmail.com
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Simcast] C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

System behaviour

After running the first few tests you set out for me, the popup problem instantly dissapeared, and slight performance gains were noticed in some areas.
__________________
Afro_dud is offline  
Old 01-20-2007, 07:14 AM   #6
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-20-2007, 07:18 AM   #7
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


18 Wheels of Steel Pedal to the Metal
3ds max 7
3ds max 7 Additional Maps and Materials
Ad-Aware SE Personal
Adobe After Effects 6.5
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 7.0.8
Advanced X Video Converter
AF-RF1
Age of Mythology
Age of Mythology - The Titans Expansion
Ahead Nero Burning ROM
AIM 6.0
All To MP3 Converter 1.6
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver (Omega 3.8.252)
Audacity 1.2.6
AusH6 2005 V8 SuperCar Challenge Mod v1.0
Avance AC'97 Audio
AVG Anti-Spyware 7.5
AVG Free Edition
Azureus
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 2(TM)
Battlefield Vietnam(TM)
Birmingham Motorplex
BitLord 1.1
BlueSoleil
Bridge Builder
Camera Toolbox beta v0.1
Classic Trans Am Racing
CleanUp!
CloneDVD Trial 3.0.2.5
Command & Conquer Generals
Command & Conquer Renegade
Command and ConquerTM Generals Zero Hour
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen MicroPhoto
CyberLat RAM Cleaner 1.1.3
DAEMON Tools
DesertCombat 0.7
DH Driver Cleaner Professional Edition
Diablo II
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Downhill PAKOON! 2.Many Unlimited 2009
DTM 2003 Mod by Team-RMG
DVD Decrypter (Remove Only)
DVD Shrink 3.1.7
Electronic Arts Game Updater
F1 Challenge 99-02
F1C Telemetry (FTL)
FileZilla (remove only)
FinePixViewer Ver.4.0
FlatOut
Fraps (remove only)
FUJIFILM USB Driver
Game Maker 6.0
GameJack 5
GameSpy Arcade
GEM+ 2 & iGOR
GetRight
Google Earth
Google Video Player
GPL Digital Display Modifier
GPL Replay Analyser (remove only)
GPLAIM
GPxPatch (remove only)
Grand Prix 4
Grand Prix Legends
GT Legends 1.0.0.0
GTA San Andreas
GtkAtlantic 0.4.1
GTR
GTR - King of Ovals Expansion Pack
Half-Life(R) 2
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
ImageMixer VCD for FinePix
Imation Disk Manager II Service
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_04
Jigs@w Puzzle
Last.fm Player 1.1.4
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire PRO 4.13.0
Logitech Gaming Software
LogonStudio
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Shockwave Player
MakeTorrent v2.1
Medal of Honor Allied Assault
Messenger Plus! Live & Sponsor
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft RalliSport Challenge
Microsoft User-Mode Driver Framework Feature Pack 1.0
MicroStaff WINASPI NT
Mozilla Firefox (2.0.0.1)
MP3 Player
MSI to redistribute Rigs of Rods
MSXML 4.0 SP2 (KB927978)
MSXML4 Parser
MultiRes (remove only)
My DSC
NASCAR® Racing 2003 Season
Need For Speed Underground
Need for Speed Underground 2
NR Graphics Tweaker
O&O Defrag Professional Edition
OWR Mod For Papyrus NR2003 Season
Panda ActiveScan
PowerDVD
Project Wildfire Trans Am Series for Nascar Racing 2003
QuickTime
Radeon Omega Drivers v3.8.252 Setup Files and Tools
RAW FILE CONVERTER LE
Ray Adams ATI Tray Tools
RealPlayer
rFactor (remove only)
RFACTOR AeroWar '88 Stock Car Series
Ricky Ponting International Cricket 2005
rsClient 8.x
RTPatch Update
Sacred
Sacred Underworld
Saints and Sinners Bingo
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Sierra Utilities
Simple Race Reporter V3.03
SolSuite
SolSuite Graphics Pack
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Steam(TM)
StyleXP (remove only)
SUPER © Version 2006.19 (FIX)
Synacast Plug-in 1.1.0.7
TeamSpeak 2 RC2
Tribes Vengeance
TVUPlayer 2.3.0.0
Universal SCSI Controller
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB GAME PAD
V8 Supercar Challenge
V8Factor Season 2006
Vampire - The Masquerade Bloodlines
Ventrilo Client
Viewpoint Media Player
VROC
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinVROC
WinZip
World of Warcraft
World Series of Poker: TOC
Xpand Rally
XTNDConnect Blue Manager 3.1
Yahoo! Messenger
Zboard (TM) Software
__________________
Afro_dud is offline  
Old 01-20-2007, 05:26 PM   #8
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


Are you sure that is the report from the new Panda scan? It looks exactly the same as the previous scan.

Did you have any difficulty with the registry deletion instructions I gave you?

Did you have any difficulty with the mediagateway.bfu?

--------------------------------------

You still have Messenger Plus! Live & Sponsor installed. Please refer to my very first set of fixes--that is the program that's responsible for the LOP infection you had.

Uninstall that program and if you really like having it, then when you reinstall make sure not to install the sponsor program. Read the installation procedures carefully. When you get to the Sponsor Agreement, SELECT:

’I Refuse to give my support, install Messenger Plus! without the sponsor'.

--------------------------------------

I'd like you to use a different online scanner this time:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-21-2007, 06:43 AM   #9
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


Quote:
Originally Posted by Ried View Post
Are you sure that is the report from the new Panda scan? It looks exactly the same as the previous scan.

Did you have any difficulty with the registry deletion instructions I gave you?

Did you have any difficulty with the mediagateway.bfu?
Yes, that is the newest report from the Panda scan. The registry deletion instructions gave me no issues at all. Same thing with mediagateway.bfu. As for the messenger plus thing, i removed both instances that were on there (there was an older unremoved version on there from before i switched to live messenger). I have now uninstalled the newer one, and reinstalled without the sponser.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 22, 2007 12:13:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/01/2007
Kaspersky Anti-Virus database records: 260523
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 312943
Number of viruses found: 8
Number of infected objects: 26 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:00:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\history.dat Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\key3.db Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Afro dud\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Microsoft\Windows Live Contacts\v8supercarracedriver@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Microsoft\Windows Live Contacts\v8supercarracedriver@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temp\~DF146D.tmp Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temp\~DF147A.tmp Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temp\~DF490.tmp Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temp\~DF49D.tmp Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temp\~DFFC70.tmp Object is locked skipped
C:\Documents and Settings\Afro dud\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Afro dud\My Documents\Bens\freeripmp3.exe/data0011 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Documents and Settings\Afro dud\My Documents\Bens\freeripmp3.exe Inno: infected - 1 skipped
C:\Documents and Settings\Afro dud\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Afro dud\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Games\Dawn of War\bugreport.log Object is locked skipped
C:\Games\Dawn of War\dlltie.log Object is locked skipped
C:\Games\Dawn of War\GraphicsConfig.log Object is locked skipped
C:\Games\Dawn of War\Local.ini Object is locked skipped
C:\Games\Dawn of War\Logfiles\datacrc.2004-10-30.11-49-06.txt Object is locked skipped
C:\Games\Dawn of War\Logfiles\datacrc.2004-10-30.12-02-47.txt Object is locked skipped
C:\Games\Dawn of War\Logfiles\syncerror_26.2004-10-30.11-49-06.1.txt Object is locked skipped
C:\Games\Dawn of War\Logfiles\syncerror_26.2004-10-30.11-49-06.txt Object is locked skipped
C:\Games\Dawn of War\Logfiles\syncerror_previousframe_25.2004-10-30.11-49-06.txt Object is locked skipped
C:\Games\Dawn of War\Playback\temp.rec Object is locked skipped
C:\Games\Dawn of War\Profiles\Profile1\name.dat Object is locked skipped
C:\Games\Dawn of War\Profiles\Profile1\playercfg.lua Object is locked skipped
C:\Games\Dawn of War\Profiles\Profile1\testStats.Lua Object is locked skipped
C:\Games\Dawn of War\Profiles\Profile1\W40k\KEYDEFAULTS.LUA Object is locked skipped
C:\Games\Dawn of War\warnings.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166755.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166756.exe Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166757.exe Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166758.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166759.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166760.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166761.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166762.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166763.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166764.dll Infected: not-a-virus:AdWare.Win32.Gator.q skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166765.dll Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166766.exe Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166768.exe Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166769.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166770.exe Infected: not-a-virus:AdTool.Win32.WinAD.bv skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166771.dll Infected: not-a-virus:AdWare.Win32.Chiem.a skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP903\A0166772.dll Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP905\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Azureus_2.2.0.2-Win32.setup.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
D:\Azureus_2.2.0.2-Win32.setup.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
D:\Azureus_2.2.0.2-Win32.setup.exe NSIS: infected - 2 skipped
D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bjg skipped
D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bjg skipped
D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip/run.exe Infected: Trojan-Downloader.Win32.Zlob.bjg skipped
D:\mods\SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip ZIP: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{F52316FE-B677-4EB0-991B-39A32492918C}\RP905\change.log Object is locked skipped

Scan process completed.
__________________
Afro_dud is offline  
Old 01-21-2007, 05:56 PM   #10
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


Ok, let's try this again.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

*************************************************

Delete the following files and folders:

c:\windows\system32\ ustart.exe
c:\program files\common files\ CMEII
c:\program files\ MediaGateway
D:\mods\ SolSuite.2007.v7.0.WinALL.Incl.Keygen-BRD.zip


----------------------------------------------------------------

Run another online scan at Panda and post the results here.

----------------------------------------------------------------

Based on the Kaspersky results, I'd like to run another tool and see if it reports any other entries:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
  • Select option #1 - Search by typing 1 and press "Enter"
  • A text file will appear which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 01-22-2007, 12:24 AM   #11
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


c:\windows\system32\ ustart.exe

I'll state what i said last time i tried to find this file. It doesn't exist at all. I've even turned on hidden files, and it's just not there at all.

c:\program files\ MediaGateway also does not exist.

I'm just about to start a Panda scan as of this message.
__________________
Afro_dud is offline  
Old 01-22-2007, 11:26 PM   #12
Registered Member
 
Join Date: Jan 2007
Location: Adelaide, South Australia
Posts: 15
OS: Windows XP


Incident Status Location

Adware:adware/gator Not disinfected c:\program files\common files\GMT
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[counter7.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.ig.com.br/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Afro dud\Application Data\Mozilla\Firefox\Profiles\4nwhp7dz.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@adtech[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@serving-sys[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Afro dud\Cookies\afro dud@statse.webtrendslive[2].txt
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\Afro dud\Local Settings\Temporary Internet Files\Content.IE5\768GB8CN\010101[1].exe
Spyware:Spyware/7r7t Not disinfected C:\Documents and Settings\Afro dud\Local Settings\Temporary Internet Files\Content.IE5\CL2VSPU3\012201[1].exe
Spyware:Spyware/7r7t Not disinfected C:\Program Files\Ideazon\Zboard Software\Driver\KUpdate.exe


SmitFraudFix v2.133

Scan done at 16:55:52.44, Tue 23/01/2007
Run from C:\Documents and Settings\Afro dud\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Afro dud


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Afro dud\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AFRODU~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
__________________
Afro_dud is offline  
Old 01-23-2007, 06:34 AM   #13
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,473
OS: WinXP Home, Vista, Windows 7 64bit


One more folder and the clearing of cookies and you'll be good to go.


Delete this folder:

c:\program files\common files\ GMT

-----------------------------------------------------

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

-----------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 04:07 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts