Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page I've got problems...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-14-2006, 04:35 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Confused I've got problems...
Hi Folks,

I am fairly new here but I have followed the 5 step plan for removing malware etc but to no avail. These are the problems I am experiencing:

1. Dial-up box appears after bootup
2. IE directs me to different sites (browser hijack)
3. Explorer.exe runs at 100% quite often, have to end process and restart from TM
4. Can't run Adaware, it freezes at the sharedDLL directory(Run in SAFE mode and normal)
5. Can't run Spybot SD freezes at 'Central 24' item (Run in SAFE mode and normal)
6. I ran CWshredder and found 1 entry under CWS.MSConfig which I removed

I have used msconfig to remove my non-microsoft startup items but the dial-up box still appears after reboot.

Find below my HijackThis log, run from C:/programfiles/HJT/

I really hope someone can help... this is very frustrating...arghhh

---

Logfile of HijackThis v1.99.1
Scan saved at 23:32:24, on 14/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120494775531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6104C19B-3211-42DC-82E7-0A3CBACEAF89}: NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCCC46E-63AD-40E7-99B7-41BD4DBABD7E}: NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDE7AA4-DEA8-45B3-A177-3FF6771FCC4F}: NameServer = 85.255.115.102 85.255.112.120
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Acardsmgvp - Unknown owner - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

---END

Cheers
Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-15-2006, 11:08 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Download and run Blacklight

After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 11:15 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Hi subs,

Thanks for the response. Here is my log from the program:

----------------

02/16/06 18:11:54 [Info]: BlackLight Engine 1.0.30 initialized
02/16/06 18:11:54 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/16/06 18:11:54 [Note]: 7019 4
02/16/06 18:11:54 [Note]: 7005 0
02/16/06 18:11:58 [Note]: 7006 0
02/16/06 18:11:58 [Note]: 7011 1296
02/16/06 18:11:59 [Note]: FSRAW library version 1.7.1014
02/16/06 18:12:33 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
02/16/06 18:12:33 [Note]: 10002 1
02/16/06 18:12:35 [Info]: Hidden file: C:\WINDOWS\system32\csagi.exe
02/16/06 18:12:35 [Note]: 7002 32
02/16/06 18:12:35 [Note]: 7003 1
02/16/06 18:12:35 [Note]: 10002 1
02/16/06 18:12:36 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
02/16/06 18:12:36 [Note]: 10002 1
02/16/06 18:12:36 [Info]: Hidden file: C:\WINDOWS\system32\filesafer23.exe
02/16/06 18:12:36 [Note]: 10002 1
02/16/06 18:12:36 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe
02/16/06 18:12:36 [Note]: 10002 1
02/16/06 18:12:38 [Info]: Hidden file: C:\WINDOWS\system32\sphlp32.exe
02/16/06 18:12:38 [Note]: 7002 5
02/16/06 18:12:38 [Note]: 7003 1
02/16/06 18:12:38 [Note]: 10002 1
02/16/06 18:12:39 [Info]: Hidden file: C:\WINDOWS\system32\pppcgm.exe
02/16/06 18:12:39 [Note]: 10002 1
02/16/06 18:12:42 [Info]: Hidden file: C:\WINDOWS\system32\dmtdn.exe
02/16/06 18:12:42 [Note]: 7002 32
02/16/06 18:12:42 [Note]: 7003 1
02/16/06 18:12:42 [Note]: 10002 1
02/16/06 18:13:37 [Note]: 7007 0

----------------

Hope this helps..

Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 11:17 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Do another Blacklight scan.
For hidden entries found, choose for Blacklight to rename all of them except this one:

C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE

The tool will ask if you want to reboot (restart) choose yes.
After you have rebooted post back with a fresh hijackthis log
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 11:58 AM   #5 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:55:02, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dmtdn.exe] C:\WINDOWS\system32\dmtdn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120494775531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6104C19B-3211-42DC-82E7-0A3CBACEAF89}: NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCCC46E-63AD-40E7-99B7-41BD4DBABD7E}: NameServer = 85.255.115.102,85.255.112.120
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Acardsmgvp - Unknown owner - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 12:09 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

You will need an antivirus program on this machine. Nowadays, surfin the internet without an AV is like begging for a bullet. <- look at this guy

You might wanna try out the freeware Antivirus - AVG Anti-Virus
If you're seeking to purchase, I would recommend either of these:
  1. Kaspersky - Has a comprehensive scanner but a bit of a resource hog. Recomended only for fast computers.

  2. Nod32 - light on resources & has fastest scanner engine. This is the one I have on my main machine
Both of the above have trial versions which you can try before purchase


* * * * * *


Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Acardsmgvp
  2. Double-click on it to open the Properties dialog.
    - Stop the service by using the Stop button.
    - Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  4. In the popup box that appears, copy/paste Acardsmgvp
  5. Click on the OK button & answer No if prompted to reboot


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [dmtdn.exe] C:\WINDOWS\system32\dmtdn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6104C19B-3211-42DC-82E7-0A3CBACEAF89}: NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCCC46E-63AD-40E7-99B7-41BD4DBABD7E}: NameServer = 85.255.115.102,85.255.112.120


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • FixWareout's log
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 05:09 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Ok, here are the 4 results. There wasn't any problems with the procedures. I do notice now that the dial-up dialogue does not appear on bootup.

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ndtmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmtdn.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSAGIE~1.REN
C:\WINDOWS\SYSTEM32\DMTDNE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\FILESA~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\NIHUB.DLL

»»»»» Checking for older varients covered by the Rem3 tool

-----------------------------------------------------------------------

Friday, February 17, 2006 12:00:24 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 177086


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 183043
Number of viruses found 9
Number of infected objects 55
Number of suspicious objects 0
Duration of the scan process 01:22:50

Infected Object Name Virus Name Last Action
C:\Documents and Settings\steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5a100adb-50e6bea0.zip/Beyond.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5a100adb-50e6bea0.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Documents and Settings\steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5a100adb-50e6bea0.zip ZIP: infected - 2 skipped

C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe WiseSFX Dropper: infected - 3 skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP393\A0056129.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP393\A0056136.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP393\A0056141.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP394\A0056154.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP395\A0056245.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056346.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056357.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056367.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056453.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056461.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056469.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP396\A0056477.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP397\A0056568.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP397\A0056594.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP397\A0056650.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP397\A0056660.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP397\A0056669.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056779.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056787.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056800.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056807.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056816.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056824.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP398\A0056830.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056843.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056851.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056860.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056871.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056880.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056887.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056896.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056913.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP399\A0056920.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0056958.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0056964.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0056969.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0056980.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0057005.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0057016.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP400\A0057024.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057036.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057037.exe Infected: Trojan.Win32.Small.gq skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057041.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057334.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057335.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h skipped

C:\System Volume Information\_restore{3D12568C-9285-41E7-9BDC-02FD59D3B0F1}\RP401\A0057336.dll Infected: Trojan-Downloader.Win32.Small.cjn skipped

C:\winupd.bat Infected: Trojan.BAT.Zapchast skipped

Scan process completed.


-------------------------------------------------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:23:54, 16/02/2006
+ Report-Checksum: 5355DD4D

+ Scan result:

C:\Documents and Settings\steve\Desktop\Downloads\eicar.com -> Not-A-Virus.Eicar.TestFile : Cleaned without backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup
C:\WINDOWS\system32\csagi.exe.ren -> Downloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\dmtdn.exe.ren -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\filesafer23.exe.ren -> Hijacker.Small : Cleaned with backup
C:\WINDOWS\system32\howiper.exe.ren -> Trojan.Small.gq : Cleaned with backup
C:\WINDOWS\system32\nihub.dll -> Adware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\pppcgm.exe.ren -> Adware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\sphlp32.exe.ren -> Adware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\webctrl.dll -> Downloader.Small.cjn : Cleaned with backup

-------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 18:55:02, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dmtdn.exe] C:\WINDOWS\system32\dmtdn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120494775531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6104C19B-3211-42DC-82E7-0A3CBACEAF89}: NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCCC46E-63AD-40E7-99B7-41BD4DBABD7E}: NameServer = 85.255.115.102,85.255.112.120
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Acardsmgvp - Unknown owner - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--------------------------------------


According to the online scan i still have some nasty things hanging around

Hope you can help

Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2006, 05:16 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Your HijackThis log appears erronous. Please re-post another copy
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 06:13 AM   #9 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Here is the latest HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 13:11:17, on 17/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120494775531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Another problem I have been getting is the yellow shield icon appearing on the taskbar saying you have updates ready to install. I think this is suspect as well?

Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 06:23 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


It pains me to see your system without an antivirus program. I feel my efforts have been in vain. How do you expect to stay infection-free if you have no protection?

Please delete these files & re-post aother HJT log after a reboot

C:\Documents and Settings\steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5a100adb-50e6bea0.zip
C:\Documents and Settings\steve\Desktop\Downloads\Software\bearshare.exe
C:\winupd.bat
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 01:02 PM   #11 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Hi Subs,

Sorry, didn't realise you wanted me to activate a virus scanner. I now have AVG running, here is the latest HJT..

Logfile of HijackThis v1.99.1
Scan saved at 20:00:50, on 17/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120494775531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Cheers
Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 02:16 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Steve,

Sorry about that. It gets deflating if users aren't concerned about their own security. I should made myself clear when I posted the earlier message.

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 04:43 PM   #13 (permalink)
Registered User
 
Join Date: Feb 2006
Posts: 9
OS: windows XP Pro


Grin
Hi Subs,

What can I say, apart from thanks so much for your help. This is a great resource. I will be telling friends about this forum. Thanks again..

Kind Regards,
Steve
steve43 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:04 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85