My Hijackthis log

vowelsgoddess · 03-18-2005, 07:53 AM

I have pop ups showing on my screen and paralyzing my computer all the time for a while now and it seems that I can't get read of them or of the virus/worm that makes them show up anymore. That's why I'm posting in here to ask for help.

First of all I did everything you said I should do before posting a log in here.

I ran ad-aware with VX2 addon cleaner.
I ran the online virus scan from TrendMicro. It found 8 infected files with Trojan and couldn't remove 2 of them.
Then I ran Hijackthis and saved the log.
Then I ran the Hijackthis analyzer program to get the following log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 15:36:36, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\?hkdsk.exe
C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe
C:\WINDOWS\system32\sccntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F151C164-2888-2C2A-8F9B-03A2DBA26993} - C:\WINDOWS\system32\vajvwzjc.dll
O2 - BHO: BHO Class - {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} - C:\WINDOWS\Downloaded Program Files\SecureServicePack.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\350 CW Mouse Cardreader Wireless\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [TC1U] C:\WINDOWS\gyapctsp.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [rvrqcry] c:\windows\system32\rvrqcry.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteekn32.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKCU\..\Run: [VideoCall] "C:\Program Files\Logitech\VideoCall\VideoCall.exe" -minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Dzuclju] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Brab] C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [LBwqRiZmU] sccntfy.exe
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Mu...ridge-c135.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19769bb8...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {B467A3AF-E45B-4B1B-9983-C035D988FB0F} (VacPro.belgio_ver10) - http://advnt01.com/dialer/belgio_ver10.CAB
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game14.zylomgames.com/activex/zylomloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secureservicepack.com/...ervicepack.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF1B21C-26F8-4642-879A-2083DE12D421}: NameServer = 62.235.14.4 62.235.13.199
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thanks in advance for your help cause I don't know much about computers and I can't fix the problem by myself.

greyknight17 · 03-18-2005, 09:35 AM

Welcome to TSF.

For the other 2 infected files that you can't remove, can you tell us where they are located?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\?hkdsk.exe
C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe
C:\WINDOWS\system32\sccntfy.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Messenger Plus - this program has a sponsor program that may be installed with it. If you chose to install it without the sponsor, then you may keep this program.

Media Pass

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F151C164-2888-2C2A-8F9B-03A2DBA26993} - C:\WINDOWS\system32\vajvwzjc.dll
O2 - BHO: BHO Class - {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} - C:\WINDOWS\Downloaded Program Files\SecureServicePack.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TC1U] C:\WINDOWS\gyapctsp.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [rvrqcry] c:\windows\system32\rvrqcry.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteekn32.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Dzuclju] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Brab] C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [LBwqRiZmU] sccntfy.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c135.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19769bb...ip/RdxIE601.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {B467A3AF-E45B-4B1B-9983-C035D988FB0F} (VacPro.belgio_ver10) - http://advnt01.com/dialer/belgio_ver10.CAB
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secureservicepack.com...servicepack.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Messenger Plus! 3\ - only if you uninstalled it
C:\WINDOWS\system32\winupdt.exe
C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe
C:\WINDOWS\system32\sccntfy.exe
AUNPS2.DLL
C:\WINDOWS\farmmext.ini
C:\WINDOWS\isrvs\
C:\Program Files\Media Pass\

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Do a search for ?hkdsk.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

vowelsgoddess · 03-20-2005, 05:02 AM

Thanks for answering me so quickly. Thanks again for your help.

To answer your first question, when I ran another another Trendmicro scan after doing everything you said in your answer, it found only one infected file called EXPL IFRAMEBOA and it was categorized non cleanable. But I could delete it. Here's the location of that file:
C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\X3FJTXKE\205-2[1].html
It seems that the 2 infected files that the scan couldn't access have disappeared.
Beside of that my anti virus Avast keeps finding several viruses and worms. They are called WIN32: Trojan-gen, WIN32: Srch Assist (Adw) and WIN32: Trojano-874[trj]
Their direcories are:
C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\ANCVKZEB\optimize[1].exe
C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\ANCVKZEB\saap[1].exe
C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\X3FJTXKE\nem220[1].dll
C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\Y15UBYD4\loader2[1].ocx

Below you will find the result.txt log I got after running KRC HijackThis Analyzer:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:25:22, on 20/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe
C:\WINDOWS\system32\ap9h4qmo.exe
C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\350 CW Mouse Cardreader Wireless\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\fullgames.exe -N
O4 - HKCU\..\Run: [VideoCall] "C:\Program Files\Logitech\VideoCall\VideoCall.exe" -minimized
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game14.zylomgames.com/activex/zylomloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab
O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamesplayground.com/ou.../fullgames.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-20-2005, 04:12 PM

No problem. We'll get rid of it now since we know where they are.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\ap9h4qmo.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\fullgames.exe -N

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\ap9h4qmo.exe
C:\WINDOWS\system32\fullgames.exe - unless you know what it's for

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

vowelsgoddess · 03-21-2005, 06:58 AM

Here is my last KRC HijackThis Analyzer log:

====================================================================
Logfile of HijackThis v1.99.1
Scan saved at 14:56:19, on 21/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-21-2005, 08:09 PM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

vowelsgoddess · 03-22-2005, 09:11 AM

There doesn't seem to be any problems anymore now.
Thanks again for your help cause I was really clueless.
I'll read your anti-spyware tutorial to prevent the same kind of problems to happen again.

03-18-2005, 07:53 AM	#1 (permalink)
vowelsgoddess Registered User Join Date: Mar 2005 Posts: 4 OS: XP	My Hijackthis log I have pop ups showing on my screen and paralyzing my computer all the time for a while now and it seems that I can't get read of them or of the virus/worm that makes them show up anymore. That's why I'm posting in here to ask for help. First of all I did everything you said I should do before posting a log in here. I ran ad-aware with VX2 addon cleaner. I ran the online virus scan from TrendMicro. It found 8 infected files with Trojan and couldn't remove 2 of them. Then I ran Hijackthis and saved the log. Then I ran the Hijackthis analyzer program to get the following log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1" O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 15:36:36, on 18/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\WINDOWS\system32\winupdt.exe C:\WINDOWS\system32\?hkdsk.exe C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe C:\WINDOWS\system32\sccntfy.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O2 - BHO: (no name) - {F151C164-2888-2C2A-8F9B-03A2DBA26993} - C:\WINDOWS\system32\vajvwzjc.dll O2 - BHO: BHO Class - {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} - C:\WINDOWS\Downloaded Program Files\SecureServicePack.dll O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\350 CW Mouse Cardreader Wireless\1.1\MOUSE32A.EXE O4 - HKLM\..\Run: [TC1U] C:\WINDOWS\gyapctsp.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [rvrqcry] c:\windows\system32\rvrqcry.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteekn32.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKCU\..\Run: [VideoCall] "C:\Program Files\Logitech\VideoCall\VideoCall.exe" -minimized O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [Dzuclju] C:\WINDOWS\system32\?hkdsk.exe O4 - HKCU\..\Run: [Brab] C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt O4 - HKCU\..\Run: [LBwqRiZmU] sccntfy.exe O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/ O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Mu...ridge-c135.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19769bb8...p/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB O16 - DPF: {B467A3AF-E45B-4B1B-9983-C035D988FB0F} (VacPro.belgio_ver10) - http://advnt01.com/dialer/belgio_ver10.CAB O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game14.zylomgames.com/activex/zylomloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secureservicepack.com/...ervicepack.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF1B21C-26F8-4642-879A-2083DE12D421}: NameServer = 62.235.14.4 62.235.13.199 O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thanks in advance for your help cause I don't know much about computers and I can't fix the problem by myself.

03-18-2005, 09:35 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. For the other 2 infected files that you can't remove, can you tell us where they are located? Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\WINDOWS\system32\winupdt.exe C:\WINDOWS\system32\?hkdsk.exe C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe C:\WINDOWS\system32\sccntfy.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Messenger Plus - this program has a sponsor program that may be installed with it. If you chose to install it without the sponsor, then you may keep this program. Media Pass Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O2 - BHO: (no name) - {F151C164-2888-2C2A-8F9B-03A2DBA26993} - C:\WINDOWS\system32\vajvwzjc.dll O2 - BHO: BHO Class - {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} - C:\WINDOWS\Downloaded Program Files\SecureServicePack.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [TC1U] C:\WINDOWS\gyapctsp.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [rvrqcry] c:\windows\system32\rvrqcry.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteekn32.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [Dzuclju] C:\WINDOWS\system32\?hkdsk.exe O4 - HKCU\..\Run: [Brab] C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt O4 - HKCU\..\Run: [LBwqRiZmU] sccntfy.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c135.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19769bb...ip/RdxIE601.cab O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB O16 - DPF: {B467A3AF-E45B-4B1B-9983-C035D988FB0F} (VacPro.belgio_ver10) - http://advnt01.com/dialer/belgio_ver10.CAB O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secureservicepack.com...servicepack.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\Messenger Plus! 3\ - only if you uninstalled it C:\WINDOWS\system32\winupdt.exe C:\Documents and Settings\Elise Haultecoeur\Application Data\oeur.exe C:\WINDOWS\system32\sccntfy.exe AUNPS2.DLL C:\WINDOWS\farmmext.ini C:\WINDOWS\isrvs\ C:\Program Files\Media Pass\ Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Do a search for ?hkdsk.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-20-2005, 05:02 AM	#3 (permalink)
vowelsgoddess Registered User Join Date: Mar 2005 Posts: 4 OS: XP	second hijackthis log Thanks for answering me so quickly. Thanks again for your help. To answer your first question, when I ran another another Trendmicro scan after doing everything you said in your answer, it found only one infected file called EXPL IFRAMEBOA and it was categorized non cleanable. But I could delete it. Here's the location of that file: C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\X3FJTXKE\205-2[1].html It seems that the 2 infected files that the scan couldn't access have disappeared. Beside of that my anti virus Avast keeps finding several viruses and worms. They are called WIN32: Trojan-gen, WIN32: Srch Assist (Adw) and WIN32: Trojano-874[trj] Their direcories are: C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\ANCVKZEB\optimize[1].exe C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\ANCVKZEB\saap[1].exe C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\X3FJTXKE\nem220[1].dll C:\Documents and Settings\Elise Haultecoeur\Local Settings\Temporary Internet Files\Content IE5\Y15UBYD4\loader2[1].ocx Below you will find the result.txt log I got after running KRC HijackThis Analyzer: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:25:22, on 20/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe C:\WINDOWS\system32\ap9h4qmo.exe C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file) O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe" O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\350 CW Mouse Cardreader Wireless\1.1\MOUSE32A.EXE O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\fullgames.exe -N O4 - HKCU\..\Run: [VideoCall] "C:\Program Files\Logitech\VideoCall\VideoCall.exe" -minimized O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/ O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game14.zylomgames.com/activex/zylomloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab O16 - DPF: {FDE6B956-B80A-4578-9A10-4C24609412F1} - http://access.gamesplayground.com/ou.../fullgames.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-20-2005, 04:12 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	No problem. We'll get rid of it now since we know where they are. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\ap9h4qmo.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file) O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\fullgames.exe -N Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\ap9h4qmo.exe C:\WINDOWS\system32\fullgames.exe - unless you know what it's for Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-21-2005, 06:58 AM	#5 (permalink)
vowelsgoddess Registered User Join Date: Mar 2005 Posts: 4 OS: XP	3rd HijackThis log Here is my last KRC HijackThis Analyzer log: ==================================================================== Logfile of HijackThis v1.99.1 Scan saved at 14:56:19, on 21/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Documents and Settings\Elise Haultecoeur\Mes documents\Mes logiciels\HJT\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr-be\msnappau.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1023_EN_XP.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by vowelsgoddess; 03-21-2005 at 07:00 AM. Reason: some information missing

03-21-2005, 08:09 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-22-2005, 09:11 AM	#7 (permalink)
vowelsgoddess Registered User Join Date: Mar 2005 Posts: 4 OS: XP	clean log There doesn't seem to be any problems anymore now. Thanks again for your help cause I was really clueless. I'll read your anti-spyware tutorial to prevent the same kind of problems to happen again.