Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Need Help - Getting too many pop-ups and lock downs. HJT included Need Help - Getting too many pop-ups and lock downs. HJT included
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 08-19-2005, 12:56 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 24
OS: win xp home 2002 version Service pack 2


Need Help - Getting too many pop-ups and lock downs. HJT included
Hi there,

My PC is crawling and IE not responding well due to many malware attacks I believe. I have run CW-Shredded, CLean-Up, Spysweeper and AD Aware SE Pro but still can't can't rid of viruses.

Would you pls take a look at my log file , thank you in advance!!

Running Wim XP Home SP2. 17.Ghz and 512 mb of RAM

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:53:31 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program files\Agent\PQV2iSvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\PROGRA~1\ETRUST~1\VetTray.exe
C:\WINDOWS\CY_BG.EXE
D:\Program files\Anapod Explorer\anamgr.exe
D:\Program files\bin\iPodService.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\Federico Vega\Desktop\Hijack this\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Windows Update Setup Files\utilcat.dll
O4 - HKLM\..\Run: [VetTray] d:\PROGRA~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - Startup: Anapod Manager.lnk = D:\Program files\Anapod Explorer\anamgr.exe
O4 - Startup: AntiCrash.lnk = D:\Program files\AntiCrash.exe
O4 - Global Startup: EZ Firewall.lnk = D:\Program files\eTrust EZ Firewall\ca.exe
O12 - Plugin for .cif: C:\PROGRA~1\Internet Explorer\Plugins\npCVista.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097612563828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O20 - Winlogon Notify: utilcat - C:\WINDOWS\Windows Update Setup Files\utilcat.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program files\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program files\Agent\PQV2iSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe


End of KRC HijackThis Analyzer Log.
====================================================================


thank you!
fdeaubonne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-19-2005, 03:49 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 20,794
OS: XP


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  1. In the popup box that appears, type in C:\WINDOWS\CY_BG.EXE
  2. Click the Open button.
  3. Click NO when prompted to restart your computer.

Please download VundoFix.zip to your desktop.
  • Double-click VundoFix.zip and extract it to your C:\ directory.
  • Copy the instructions below and paste them into Notepad for reference.
    • All other windows need to be closed while doing this fix!
  • Navigate to the new folder C:\VundoFix
  • Double click on KillVundo.bat
    • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
  • Please press any key to continue.
  • Wait for HiJackThis to automatically open.
  • When HiJackThis opens, click Do a system scan only. Place a check next to the following items, if found:

    • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Windows Update Setup Files\utilcat.dll
      O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
      O15 - Trusted Zone: *.coolwebsearch.com
      O15 - Trusted Zone: *.musicmatch.com
      O15 - Trusted Zone: *.musicmatch.com (HKLM)
      O15 - Trusted IP range: 206.161.125.149 (HKLM)
      O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
      O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/ins...ll/pinstall.cab
      O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
      O20 - Winlogon Notify: utilcat - C:\WINDOWS\Windows Update Setup Files\utilcat.dll

  • Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.
You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-19-2005, 05:30 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 24
OS: win xp home 2002 version Service pack 2


It looks like i am running better already, thanks! Here are my logs, pls let me know if everything looks normal.

Logfile of HijackThis v1.99.1
Scan saved at 7:25:09 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program files\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ETRUST~1\VetTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program files\bin\iPodService.exe
D:\Program files\eTrust EZ Firewall\ca.exe
D:\Program files\Anapod Explorer\anamgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Federico Vega\Desktop\Hijack this\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VetTray] d:\PROGRA~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: Anapod Manager.lnk = D:\Program files\Anapod Explorer\anamgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: AntiCrash.lnk = D:\Program files\AntiCrash.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EZ Firewall.lnk = D:\Program files\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cif: C:\PROGRA~1\Internet Explorer\Plugins\npCVista.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097612563828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program files\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program files\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

====================================================

Here is the Vundofix log:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 708 'smss.exe'
Threads [712][716][720]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2776 'explorer.exe'
Killing PID 2140 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 864 'winlogon.exe'
Sucessfully Deleted


Any tips to prevent this malware or tweaking on the Syware programs I have? thanks again master!
fdeaubonne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-19-2005, 07:28 PM   #4 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 24
OS: win xp home 2002 version Service pack 2


I spoke too fast...although i haven't seen any weird sites poing up, I am not seeing the full content of web pages as in Yahoo start page and images..any advice?
fdeaubonne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-19-2005, 10:13 PM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 20,794
OS: XP


Now that we got the main infection out of the way, let's flush out any hidden malware by using some scanners.

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • AntiSpyware.log
Please update us on how the computer behaves now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 11:23 AM   #6 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 24
OS: win xp home 2002 version Service pack 2


Wow you are right, a lot of junk remained there. I can't tell you how the computer behaves yet since i have just completed the scans. I could not not get you the Antispyware log from Trend Micro because it did not report anny infections on the second pass (Had 25 infections in the first one). In lieu i am giving you a fresh log with Spysweeper ran with updated definitions. Hope it will help.


1. Activescan log from Panda


Incident Status Location

Adware:adware/popmonster No disinfected C:\DOCUMENTS AND SETTINGS\FEDERICO VEGA\FAVORITES\SHOPPING\Ebay.url
Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\farmmext.inf
Adware:adware/effectivebrandtoolbarNo disinfected C:\WINDOWS\games.exe
Adware:adware/gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:adware/ncase No disinfected C:\PROGRAM FILES\FlashTalk
Spyware:spyware/dyfuca No disinfected Windows Registry
Dialer:dialer.qi No disinfected HKEY_CLASSES_ROOT\TypeLib\{9A9C9133-E640-4CA7-81C1-123FAC78855F}
Adware:Adware/Adultlt No disinfected C:\WINDOWS\system32\zivixiq.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msiaih.dll
Virus:Trj/Imk.A Disinfected C:\WINDOWS\system32\msnimk.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Adware:Adware/Ucmore No disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\pinstall.dll
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Dialer:Dialer.Gen No disinfected C:\WINDOWS\tlk0262[1].exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Windows Update Setup Files\utilcat.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\Federico Vega\Desktop\Hijack this\VundoFix\process.exe
Possible Virus. No disinfected C:\Documents and Settings\Federico Vega\Desktop\Hijack this\VundoFix\backups\backup-20050819-191706-208.dll
Hacktool:Hacktool/MailPassView.BNo disinfected C:\Documents and Settings\Federico Vega\Desktop\mailpv_setup.exe[mailpv.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-4a5f2737-58be9a5f.zip[BB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-4a5f2737-58be9a5f.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-4a5f2737-58be9a5f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-4a5f2737-58be9a5f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-4a5f2737-58be9a5f.zip[BeyondInterface.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-575e55e9.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-575e55e9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-575e55e9.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-19b4c7b5-575e55e9.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-a7cd932-15fed4c0.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-a7cd932-15fed4c0.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-a7cd932-15fed4c0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Federico Vega\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-a7cd932-15fed4c0.zip[Installer.class]
Adware:Adware/FunWeb No disinfected C:\Program Files\MSN Messenger\riched20.dll
Possible Virus. No disinfected C:\Program Files\Betty's Beer Bar\bbb.exe
Hacktool:Hacktool/MailPassView.BNo disinfected C:\Program Files\Mail PassView\mailpv.exe
Virus:Trj/Downloader.CCX Disinfected C:\1.exe ===============================================
2. Spy sweeper lsession log ran 10mns ago (Cleaned infections)

********
12:51 PM: |··· Start of Session, Saturday, August 20, 2005 ···|
12:51 PM: Spy Sweeper started
12:51 PM: Sweep initiated using definitions version 519
12:51 PM: Starting Memory Sweep
12:54 PM: Memory Sweep Complete, Elapsed Time: 00:03:34
12:54 PM: Starting Registry Sweep
12:54 PM: Found Adware: internetoptimizer
12:54 PM: HKU\S-1-5-21-2690133624-1161744426-439199626-1005\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
12:55 PM: Registry Sweep Complete, Elapsed Time:00:00:18
12:55 PM: Starting Cookie Sweep
12:55 PM: Found Spy Cookie: adlegend cookie
12:55 PM: federico vega@adlegend[1].txt (ID = 2074)
12:55 PM: Found Spy Cookie: adprofile cookie
12:55 PM: federico vega@adprofile[1].txt (ID = 2084)
12:55 PM: Found Spy Cookie: com.com cookie
12:55 PM: federico vega@ffxcam.fairfax.com[1].txt (ID = 2446)
12:55 PM: federico vega@ffxcam.smh.com[1].txt (ID = 2446)
12:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:55 PM: Starting File Sweep
12:55 PM: Found Adware: gain-supported software
12:55 PM: gatorhdplugin.log (ID = 119819)
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
12:55 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
12:56 PM: Warning: Failed to open file "c:\windows\temp\perflib_perfdata_6ac.dat". The process cannot access the file because it is being used by another process
12:57 PM: Found Adware: effective-i toolbar
12:57 PM: games.exe (ID = 112529)
12:58 PM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{f19a8472-2db0-4c17-ae6a-ce7e907d02f6}.bin". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\federico vega\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\federico vega\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
1:04 PM: Warning: Failed to access drive F:
1:04 PM: Warning: Failed to access drive F:
1:04 PM: Warning: Failed to access drive H:
1:04 PM: Warning: Failed to access drive H:
1:04 PM: File Sweep Complete, Elapsed Time: 00:09:13
1:04 PM: Full Sweep has completed. Elapsed time 00:13:08
1:04 PM: Traces Found: 7
1:09 PM: Removal process initiated
1:09 PM: Quarantining All Traces: internetoptimizer
1:09 PM: Quarantining All Traces: adlegend cookie
1:09 PM: Quarantining All Traces: adprofile cookie
1:09 PM: Quarantining All Traces: com.com cookie
1:09 PM: Quarantining All Traces: gain-supported software
1:09 PM: Quarantining All Traces: effective-i toolbar
1:09 PM: Removal process completed. Elapsed time 00:00:10
********
1:46 PM: |··· Start of Session, Friday, August 19, 2005 ···|
1:46 PM: Spy Sweeper started
1:46 PM: Sweep initiated using definitions version 492
1:46 PM: Starting Memory Sweep
1:49 PM: Memory Sweep Complete, Elapsed Time: 00:03:48
1:49 PM: Starting Registry Sweep
1:49 PM: Found Adware: cws bestsearch.cc hijacker
1:49 PM: HKU\S-1-5-21-2690133624-1161744426-439199626-1005\software\microsoft\windows\currentversion\internet settings\zonemap\domains\dapsol.com\ (1 subtraces) (ID = 662702)
1:50 PM: Registry Sweep Complete, Elapsed Time:00:00:17
1:50 PM: Starting Cookie Sweep
1:50 PM: Found Cookie: moviemonster cookie
1:50 PM: federico vega@moviemonster[2].txt (ID = 26684)
1:50 PM: Found Cookie: ic-live cookie
1:50 PM: federico vega@ic-live[1].txt (ID = 26505)
1:50 PM: Found Cookie: 64.62.232 cookie
1:50 PM: federico vega@64.62.232[1].txt (ID = 25676)
1:50 PM: Found Cookie: tripod cookie
1:50 PM: federico vega@tripod[1].txt (ID = 27263)
1:50 PM: Found Cookie: about cookie
1:50 PM: federico vega@about[2].txt (ID = 25726)
1:50 PM: Found Cookie: go.com cookie
1:50 PM: federico vega@abcnews.go[1].txt (ID = 26413)
1:50 PM: federico vega@rsi.abcnews.go[1].txt (ID = 26413)
1:50 PM: federico vega@sports.espn.go[2].txt (ID = 26413)
1:50 PM: federico vega@go[2].txt (ID = 26412)
1:50 PM: federico vega@boardgames.about[2].txt (ID = 25727)
1:50 PM: federico vega@64.62.232[3].txt (ID = 25676)
1:50 PM: federico vega@64.62.232[2].txt (ID = 25676)
1:50 PM: federico vega@rsi.espn.go[1].txt (ID = 26413)
1:50 PM: federico vega@soccernet.espn.go[2].txt (ID = 26413)
1:50 PM: federico vega@espn.go[2].txt (ID = 26413)
1:50 PM: Found Cookie: belnk cookie
1:50 PM: federico vega@dist.belnk[1].txt (ID = 25976)
1:50 PM: federico vega@belnk[2].txt (ID = 25975)
1:50 PM: federico vega@ath.belnk[1].txt (ID = 25976)
1:50 PM: Found Cookie: yieldmanager cookie
1:50 PM: federico vega@ad.yieldmanager[1].txt (ID = 27415)
1:50 PM: Found Cookie: did-it cookie
1:50 PM: federico vega@did-it[2].txt (ID = 26204)
1:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:50 PM: Starting File Sweep
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
1:51 PM: Warning: Failed to open file "c:\windows\temp\perflib_perfdata_6b4.dat". The process cannot access the file because it is being used by another process
1:53 PM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{2f1d6611-1bc7-4c5d-88a1-a141bf4224e3}.bin". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\ntuser.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\ntuser.dat". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\temp\zlt0164c.tmp". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\temp\jet42b6.tmp". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\temp\acre.tmp". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
1:54 PM: Warning: Failed to open file "c:\documents and settings\federico vega\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
2:07 PM: Warning: Failed to access drive F:
2:07 PM: Warning: Failed to access drive F:
2:07 PM: File Sweep Complete, Elapsed Time: 00:16:45
2:07 PM: Full Sweep has completed. Elapsed time 00:20:53
2:07 PM: Traces Found: 22
2:08 PM: Removal process initiated
2:08 PM: Quarantining All Traces: cws bestsearch.cc hijacker
2:08 PM: Quarantining All Traces: moviemonster cookie
2:08 PM: Quarantining All Traces: ic-live cookie
2:09 PM: Quarantining All Traces: 64.62.232 cookie
2:09 PM: Quarantining All Traces: tripod cookie
2:09 PM: Quarantining All Traces: about cookie
2:09 PM: Quarantining All Traces: go.com cookie
2:09 PM: Quarantining All Traces: belnk cookie
2:09 PM: Quarantining All Traces: yieldmanager cookie
2:09 PM: Quarantining All Traces: did-it cookie
2:09 PM: Removal process completed. Elapsed time 00:00:21
2:18 PM: Processing Startup Alerts
2:18 PM: Removed Startup entry: WinampAgent
2:18 PM: Processing Startup Alerts
2:18 PM: Removed Startup entry: CleanUp!
12:50 PM: Updating spyware definitions
12:50 PM: Your spyware definitions have been updated.
12:51 PM: |··· End of Session, Saturday, August 20, 2005 ···|
********
1:43 PM: |··· Start of Session, Friday, August 19, 2005 ···|
1:43 PM: Spy Sweeper started
1:44 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:44 PM: Updating spyware definitions
1:44 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:45 PM: Updating spyware definitions
1:45 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:45 PM: Updating spyware definitions
1:45 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:45 PM: Updating spyware definitions
1:45 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:45 PM: Updating spyware definitions
1:45 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
1:46 PM: |··· End of Session, Friday, August 19, 2005 ···|

===============================================

3. Hijack this log new 5mns ago

Logfile of HijackThis v1.99.1
Scan saved at 1:21:43 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program files\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ETRUST~1\VetTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program files\bin\iPodService.exe
D:\Program files\Anapod Explorer\anamgr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Federico Vega\Desktop\Hijack this\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VetTray] d:\PROGRA~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: Anapod Manager.lnk = D:\Program files\Anapod Explorer\anamgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: AntiCrash.lnk = D:\Program files\AntiCrash.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EZ Firewall.lnk = D:\Program files\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cif: C:\PROGRA~1\Internet Explorer\Plugins\npCVista.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097612563828
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program files\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program files\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
fdeaubonne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 11:49 AM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 20,794
OS: XP


Please download KillBox v2.0.0.175.zip



Have HijackThis fix this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =



Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
  • C:\DOCUMENTS AND SETTINGS\FEDERICO VEGA\FAVORITES\SHOPPING\Ebay.url
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
    C:\WINDOWS\INF\banner.inf
    C:\WINDOWS\INF\farmmext.inf
    C:\WINDOWS\games.exe
    C:\WINDOWS\GatorHDPlugin.log
    C:\PROGRAM FILES\FlashTalk
    C:\WINDOWS\system32\zivixiq.dll
    C:\WINDOWS\system32\msiaih.dll
    C:\WINDOWS\system32\msfdje.gif
    C:\WINDOWS\games.exe
    C:\WINDOWS\Downloaded Program Files\pinstall.dll
    C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
    C:\WINDOWS\tlk0262[1].exe
    C:\WINDOWS\Windows Update Setup Files\utilcat.dll
    C:\WINDOWS\blocklist.reg
    C:\Documents and Settings\Federico Vega\Desktop\Hijack this\VundoFix\backups\backup-20050819-191706-208.dll
    C:\Documents and Settings\Federico Vega\Desktop\mailpv_setup.exe
    C:\Program Files\MSN Messenger\riched20.dll
    C:\Program Files\Mail PassView\mailpv.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:
If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Upon reboot, run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Post a fresh HJT log after this.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 01:08 PM   #8 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 24
OS: win xp home 2002 version Service pack 2


Here you go:


Logfile of HijackThis v1.99.1
Scan saved at 3:04:55 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program files\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ETRUST~1\VetTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program files\eTrust EZ Firewall\ca.exe
D:\Program files\Anapod Explorer\anamgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
D:\Program files\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\