Just curious

[vicedice]

Hey there,

I've just ran a scan, I haven't got any suspicions of malware in particular but I just thought I'd post up my log to see if there was anything wrong at all, just to be safe. Sorry if that sounds stupid, I'm just curious to know if everything is alright.

[vicedice]

I just disabled windows firewall and installed zone alarm which is much better.. so I'm posting an updated log.

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:22 AM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://members.iinet.net.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Windows Messenger Messenger] winmsg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7BA5124-B3E6-4C68-80AA-826A3841ACD6}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9BE6243-9C9F-4FA6-926E-3F1ADE90B070}: NameServer = 10.0.0.138,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[vicedice]

Bump, if anybody could tell me if the logs clean or if theres anything to remove or do just let me know, it'd be appreciated.

[vicedice]

Sorry if multiple bumps aren't allowed, I know it can sometimes get annoying.. but I just want to make sure somebody sees this and tells me if theres anything I need to do, if theres an issue with bumping once and a while let me know and I'll be sure to stop.

Thanks!

[Ried]

Hello,

Please refer to the forum rules..do not bump prior to 24 hours.

Quote:

3. Please be considerate of the fact that the people helping you are not being paid for this, and in fact usually have a job, and have a limited amount of time to help, and can only do so much. If no one has replied to your thread within 24hrs after you posted it, please reply in your thread with the word BUMP to move it forward.

DO NOT Bump the thread unless 24 hours has passed. We work from oldest to newest posts... so your wait will be longer if you bump it forward before the 24 hours is up.

We have many unanswered logs, and limited staff at the moment. We'll get to you as soon as possible and appreciate your patience.

[vicedice]

I know you're all busy, and I appreciate any help I get. :)

Anyone have time to check out my log now?

Here is an updated version since the other one is a few days old:

Logfile of HijackThis v1.99.1
Scan saved at 5:31:52 PM, on 19/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7BA5124-B3E6-4C68-80AA-826A3841ACD6}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9BE6243-9C9F-4FA6-926E-3F1ADE90B070}: NameServer = 10.0.0.138,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Hi vicedice and thank you for your patience.

I'm not seeing anything in this log, but due to the nature of malware these days, it's always a good idea to install these additional tools and run them as a general cleaning:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

******************************************************

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on " Recommended actions" and then select " Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.


Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions" **Please ensure it is set to Quarantine
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware.

**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Also, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
New HijackThis log

[vicedice]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:13:46 PM 20/10/2006

+ Scan result:



C:\RECYCLER\NPROTECT\00115890.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115891.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115892.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115893.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115894.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115900.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115901.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115902.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00115903.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116111.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116112.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116113.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116114.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116118.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116119.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116120.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116121.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116929.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116930.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116931.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116932.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116948.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116949.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116950.TXT -> TrackingCookie.Serving-sys : No action taken.
C:\RECYCLER\NPROTECT\00116951.TXT -> TrackingCookie.Serving-sys : No action taken.


::Report end

_______________________________

Panda Results:

Incident: Spyware:Cookie/bravenetA

Status: Not disinfected

Location: C:\RECYCLER\NPROTECT\00116116.TXT

_______________________________

New Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:40:37 PM, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7BA5124-B3E6-4C68-80AA-826A3841ACD6}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9BE6243-9C9F-4FA6-926E-3F1ADE90B070}: NameServer = 10.0.0.138,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A7E4764-670D-420E-9E95-60B0932DF51E}: NameServer = 10.0.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

_____________________________

Questions:

Well I've done all that, and I was wondering why spybot didn't detect what avg anti spyware detected? Also, is it ok to keep avg or will it interfere with spybot?

Also I think I removed the things avg detected but I saved that log before I deleted them so that's probably why it says no action taken, but as you can see panda detected one more so I still need to somehow get rid of that.

And one last thing.. while looking at my HJT log I noticed one of them says a file is missing, anything I should do about that and is there any entries that need to be removed?

Thanks a lot for the help!

[Ried]

Hi vicedice,

Each anti-malware program has it's strengths, which is why we suggest a multi-layered approach to help keep your system protected. AVG A/S will not interfere with Spybot or any installed AV. Please keep the program-- if you choose not to purchase the product after the 30-day free trial period, you will lose the Active Guard. The program will continue to update it's database and remove any malware found.

For the Panda entry, simply empty your Norton Protected Recycle Bin.

Regarding the missing file in HJT--A weakness in HJT is it's failure to ellucidate legitimate files in the O8, O9 and O23 areas. As long as the name is legitimate, the (no name), (no file), (file missing) should be ignored.

----------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.


Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:


Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected will reduce dramatically.

[vicedice]

Thanks a lot for all your help, appreciate it!

I've followed all your steps, except for installing spyware blaster and spyguard. Will I need those or are my other programs (avg free, avg antispyware, spybot, zone alarm firewall, adaware se personal) enough?

Oh and how do I empty the protected part of recycle bin? I uninstalled Nortan a year ago now but the protected part must still be there? Can I remove it?

[Ried]

See this site for instructions on how to empty Norton's protected Recycle Bin.

Do you see any Norton products still remaining in your Add/Remove panel?

Using My Computer, navigate to and delete the following folder if present:

C:\program files\Norton (or Symantec)

----------------------------

Yes, at least add Spyware Blaster (and IESpyAd) to your system. I run the same programs as you, in addition to the 3 I listed for you above. Once you install Spyware Blaster, click on the tabs at the top and you will see all the active X, websites and tracking cookies it will silently block.

[vicedice]

I've deleted every single trace of symantec off my pc, and I no longer have the option to empty the NProtect folder anymore. I done some searching in Google because it wouldn't let me remove the folder, and I found a command for command prompt to delete it without it saying I'm not allowed to, but there are three folders inside that (which are empty) that aren't allowed to be deleted even with that command. It just says access denied, even though I'm administrator. The folder takes up no space though, so I'll leave it hidden.

Anyway, I'll download those programs, so thanks again for your help.

[Ried]

See if this helps:

Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that is active on your system. http://basconotw.mvps.org/SymRem.htm

If that doesn't rid your system of those remaining folders, then I agree that it's best to just leave them there.