Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page HJT Log (very urgent)
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 04-15-2006, 02:58 PM   #1 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Pin HJT Log (very urgent)
HI Friends. In my country, today is the first day of new year. So in this occasion I would like to wish you all HAPPY NEW YEAR .

I was caught unaware as my FDM downloded A file cmb_12314.exe. I used KillBox to delete the file and after rebooting ran HJT. I am posting the logfile. Please help me with that. As adviced in your Forum I could not find HJT Analyser at the link provided. I downloded another S/W from the same site named HJT_CS. I did not installed the s/w yet. Could you please throw some light on this too? Please find the HJT log as follows

Logfile of HijackThis v1.99.1
Scan saved at 1:53:55 AM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
D:\Applications\Stardock\ObjectDock\ObjectDock.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\AvidSDMService.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\system32\crypserv.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Applications\uTorrent\utorrent.exe
E:\WINDOWS\system32\taskmgr.exe
D:\My Documents\My Downloads\1. To BE WRRITTEN\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE provided by Proma Roy Choudhury
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\Applications\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - E:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - E:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - D:\Applications\IDA\idabar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe e:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - Startup: Stardock ObjectDock.lnk = D:\Applications\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://E:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Applications\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download ALL with IDA - D:\Applications\IDA\idaieall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Applications\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\Applications\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\Applications\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with IDA - D:\Applications\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Applications\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Applications\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .exe: E:\Program Files\Opera\PLUGINS\npida.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136656311752
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D883000-7603-4B40-8054-F96D7E8EB033}: NameServer = 202.54.9.1,202.9.145.6,203.197.12.30,202.54.1.30,202.54.6.50
O20 - Winlogon Notify: MCPClient - E:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - D:\APPLIC~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - E:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - E:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - E:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe




Hope to hear from you Soon. By the way, I through out had my ZA firewall runig along with AVG Control Centre.

Thank You
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 04-15-2006, 05:09 PM   #2 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Hello and welcome to TSF

Thank you for bringing up that point about HJT Analyzer, that software is no longer supported and I will make sure that those instructions are fixed. You do not need to install HJT_CS that program is intended for analyst use. Your log is just fine the way it is.

I reccommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

There isn't much showing in your log, so we'll try a general cleaning and see what turns up.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

I see you have disabled some startup entries using MSConfig. This makes it diffcult for us to see all the infections present on your system because they are hidden from Hijackthis. Please open MSConfig and set it to normal startup before posting a new log.

Downloads(make sure to save these in a permanent location)
Cleanup! (Alternate Link)- Install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Tools
Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:
  • Panda Activescan Log
  • A new Hijackthis! Log
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 01:40 AM   #3 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Pin HJT Log (very urgent)
HI Vikesrock8411,
Thank you very much for your prompt reply. As you have instructed I have taken the measures as detailed below.

Step 1: Installed CLEANUP 4.51 and ran it. It freed up around 20.54 MB of disk space. (Though during Installation I had some trouble. The application hanged whenever I wanted to change the Default Installation Directory and after hanging I could not even terminate the process using task manager or HJT. After installing to default path by mistake I clicked the help button and again it hanged. In all this cases I had to reboot. At last I was able to clean as you directed.)

Step2: Did a online virus scan using Panda. Saved the log which you shall find enclosed. During first time scan the applicaton freezed though I turned off AVG Control Centre. After rebooting I turned off all background services of Avg as well as my Zone Alarm Firewall. The scan this time completed successfully.


Step3: Ran MSCONFIG and chose normal startup. Rebooted and ran HJT. Saved the log and I am enclosing that too.

PANDA SCAN LOG:


Incident Status Location

Adware:adware/secure32 Not disinfected E:\WINDOWS\country.exe
Adware:adware/cws.searchmeup Not disinfected E:\WINDOWS\toolbar.exe
Adware:adware/powerstrip Not disinfected Windows Registry
Possible Virus. Not disinfected D:\My Documents\My Completed Downloads\OS-Adobe_Acrobat 7.0 Pro_Tryout_to_Full_Activation.exe[run.exe]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt[{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt[{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt]
Spyware:Cookie/Paypopup Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt[{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt]
Spyware:Cookie/888 Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt[{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{CF53017D-E377-4B2F-B897-7CC922467E35}.txt[{CF53017D-E377-4B2F-B897-7CC922467E35}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{DF341150-DA84-41E3-8456-854D5A0943BF}.txt[{DF341150-DA84-41E3-8456-854D5A0943BF}.txt]
Spyware:Cookie/YieldManager Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt[{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{36DC5134-6453-45B6-A634-CBA912679548}.txt[{36DC5134-6453-45B6-A634-CBA912679548}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt[{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt]



HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:38:55 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
E:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
E:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\SearchWithGoogle\SearchWithGoogle.exe
E:\Program Files\Messenger\msmsgs.exe
D:\Applications\IDA\ida.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\AvidSDMService.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\system32\crypserv.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\PROGRA~1\Grisoft\AVG7\avgw.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\Stardock\ObjectDock\ObjectDock.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\WINDOWS\system32\wuauclt.exe
D:\Applications\uTorrent\utorrent.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Grisoft\AVG7\avgcc.exe
D:\Applications\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE

provided by Proma Roy Choudhury
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator -

{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} -

D:\Applications\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-

9655-716BA50C19C7} - E:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-

0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-

C89982D87CBF} - E:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

e:\program files\google\googletoolbar1.dll
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} -

D:\Applications\IDA\idabar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-

0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32

\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YCentral] e:\progra~1\yahoo!

\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Applications\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VPatch] C:\Program

Files\VIAudioi\SBADeck\VPatch.exe 0 0 2
O4 - HKLM\..\Run: [VModes] VModes AttachToDesktop
O4 - HKLM\..\Run: [ussshreg] E:\PROGRA~1\ULEADW~1.0\Ussshreg.exe

/r
O4 - HKLM\..\Run: [SystemGuardAlerter] "E:\Program Files\iolo\System

Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1

\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program

Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpyHunter] E:\Program Files\Enigma Software

Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SlowDownCPU]

E:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
O4 - HKLM\..\Run: [SiSUSBRG] E:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RFAgent] D:\Applications\RFA\rfagent.exe
O4 - HKLM\..\Run: [RaidTool] E:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [ioloDelayModule] E:\Program Files\iolo\System

Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [Google Desktop Search] "E:\Program

Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec

Shared\ccApp.exe
O4 - HKLM\..\Run: [BootWarn] E:\Program Files\Norton

SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [AudioDeck] E:\Program

Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program

Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe e:\windows\system32

\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Applications\Yahoo!

\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "E:\Program

Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [SearchWithGoogle] E:\Documents and

Settings\Administrator\Local Settings\Application

Data\Google\SearchWithGoogle\SearchWithGoogle.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator]

D:\Applications\IDA\ida.exe -autorun
O4 - Startup: Stardock ObjectDock.lnk =

D:\Applications\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Applications\Yahoo!\Yahoo!

Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program

files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... -

res://E:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://e:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager -

file://D:\Applications\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download ALL with IDA -

D:\Applications\IDA\idaieall.htm
O8 - Extra context menu item: Download by Free Download Manager -

file://D:\Applications\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download

Manager - file://D:\Applications\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download

Manager - file://D:\Applications\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with IDA -

D:\Applications\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF

-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-

CA6EE38B68A8} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-

4D01-9CD7-2C66DA43AC6C} - D:\Applications\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator -

{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} -

D:\Applications\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .exe: E:\Program Files\Opera\PLUGINS\npida.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsof...en/x86/client/

muweb_site.cab?1136656311752
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D883000-7603-4B40-8054-

F96D7E8EB033}: NameServer =

202.54.9.1,202.9.145.6,203.197.12.30,202.54.1.30,202.54.6.50
O20 - Winlogon Notify: MCPClient - E:\PROGRA~1\COMMON~1

\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - D:\APPLIC~1\Stardock\OBJECT~2

\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - E:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology,

Inc. - E:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner -

E:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

E:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner -

E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - E:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead

Systems, Inc. - E:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

E:\WINDOWS\system32\ZoneLabs\vsmon.exe



Plese instruct me regarding future actions.

Thank You
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 06:08 AM   #4 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
HI Vikesrock8411, Did you receive my previous reply? As I am new to this forum I am not very sure whethere I posted my reply against your instruction correctly. I am really worried and desperately need your expert advice FRIEND.
Thank you
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 09:06 AM   #5 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
hi, as i haven't received any reply yet (i understand you are all very busy and i am bit unfortunate as some who posted later than received solution), i am going to delete files as shown in panda scan log using killbox.wish me luck and no hard feelings here. thank you
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 09:41 AM   #6 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Cry Panda Active Scan & HJT log please help
As instructed I have taken the measures as detailed below.

Step 1: Installed CLEANUP 4.51 and ran it. It freed up around 20.54 MB of disk space. (Though during Installation I had some trouble. The application hanged whenever I wanted to change the Default Installation Directory and after hanging I could not even terminate the process using task manager or HJT. After installing to default path by mistake I clicked the help button and again it hanged. In all this cases I had to reboot. At last I was able to clean as you directed.)

Step2: Did a online virus scan using Panda. Saved the log which you shall find enclosed. During first time scan the applicaton freezed though I turned off AVG Control Centre. After rebooting I turned off all background services of Avg as well as my Zone Alarm Firewall. The scan this time completed successfully.


Step3: Ran MSCONFIG and chose normal startup. Rebooted and ran HJT. Saved the log and I am enclosing that too.

PANDA SCAN LOG:


Incident Status Location

Adware:adware/secure32 Not disinfected E:\WINDOWS\country.exe
Adware:adware/cws.searchmeup Not disinfected E:\WINDOWS\toolbar.exe
Adware:adware/powerstrip Not disinfected Windows Registry
Possible Virus. Not disinfected D:\My Documents\My Completed Downloads\OS-Adobe_Acrobat 7.0 Pro_Tryout_to_Full_Activation.exe[run.exe]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt[{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt[{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt]
Spyware:Cookie/Paypopup Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt[{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt]
Spyware:Cookie/888 Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt[{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{CF53017D-E377-4B2F-B897-7CC922467E35}.txt[{CF53017D-E377-4B2F-B897-7CC922467E35}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{DF341150-DA84-41E3-8456-854D5A0943BF}.txt[{DF341150-DA84-41E3-8456-854D5A0943BF}.txt]
Spyware:Cookie/YieldManager Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt[{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{36DC5134-6453-45B6-A634-CBA912679548}.txt[{36DC5134-6453-45B6-A634-CBA912679548}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt[{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt]



HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:38:55 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
E:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
E:\Documents and Settings\Administrator\Local Settings\Application

Data\Google\SearchWithGoogle\SearchWithGoogle.exe
E:\Program Files\Messenger\msmsgs.exe
D:\Applications\IDA\ida.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\AvidSDMService.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\system32\crypserv.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\PROGRA~1\Grisoft\AVG7\avgw.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\Stardock\ObjectDock\ObjectDock.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Applications\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
E:\WINDOWS\system32\wuauclt.exe
D:\Applications\uTorrent\utorrent.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Grisoft\AVG7\avgcc.exe
D:\Applications\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE

provided by Proma Roy Choudhury
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator -

{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} -

D:\Applications\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-

9655-716BA50C19C7} - E:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-

0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-

C89982D87CBF} - E:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

e:\program files\google\googletoolbar1.dll
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} -

D:\Applications\IDA\idabar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-

0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32

\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YCentral] e:\progra~1\yahoo!

\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Applications\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VPatch] C:\Program

Files\VIAudioi\SBADeck\VPatch.exe 0 0 2
O4 - HKLM\..\Run: [VModes] VModes AttachToDesktop
O4 - HKLM\..\Run: [ussshreg] E:\PROGRA~1\ULEADW~1.0\Ussshreg.exe

/r
O4 - HKLM\..\Run: [SystemGuardAlerter] "E:\Program Files\iolo\System

Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1

\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program

Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpyHunter] E:\Program Files\Enigma Software

Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SlowDownCPU]

E:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
O4 - HKLM\..\Run: [SiSUSBRG] E:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RFAgent] D:\Applications\RFA\rfagent.exe
O4 - HKLM\..\Run: [RaidTool] E:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [ioloDelayModule] E:\Program Files\iolo\System

Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [Google Desktop Search] "E:\Program

Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec

Shared\ccApp.exe
O4 - HKLM\..\Run: [BootWarn] E:\Program Files\Norton

SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [AudioDeck] E:\Program

Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program

Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe e:\windows\system32

\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Applications\Yahoo!

\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "E:\Program

Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [SearchWithGoogle] E:\Documents and

Settings\Administrator\Local Settings\Application

Data\Google\SearchWithGoogle\SearchWithGoogle.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator]

D:\Applications\IDA\ida.exe -autorun
O4 - Startup: Stardock ObjectDock.lnk =

D:\Applications\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Applications\Yahoo!\Yahoo!

Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program

files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... -

res://E:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://e:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://E:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager -

file://D:\Applications\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download ALL with IDA -

D:\Applications\IDA\idaieall.htm
O8 - Extra context menu item: Download by Free Download Manager -

file://D:\Applications\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download

Manager - file://D:\Applications\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download

Manager - file://D:\Applications\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with IDA -

D:\Applications\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF

-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-

CA6EE38B68A8} - (no file)
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-

4D01-9CD7-2C66DA43AC6C} - D:\Applications\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator -

{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} -

D:\Applications\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .exe: E:\Program Files\Opera\PLUGINS\npida.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsof...en/x86/client/

muweb_site.cab?1136656311752
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D883000-7603-4B40-8054-

F96D7E8EB033}: NameServer =

202.54.9.1,202.9.145.6,203.197.12.30,202.54.1.30,2 02.54.6.50
O20 - Winlogon Notify: MCPClient - E:\PROGRA~1\COMMON~1

\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - D:\APPLIC~1\Stardock\OBJECT~2

\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - E:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology,

Inc. - E:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner -

E:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

E:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner -

E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - E:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead

Systems, Inc. - E:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

E:\WINDOWS\system32\ZoneLabs\vsmon.exe



Plese instruct me regarding future actions.

Thank You


PS: I'm going to delete all the files as shone in Panda Active Scan using KILLBOX. But dont know what to do with the registry value. Ran ADAWARE 1.06 full system scan but nothing came out as critical object.
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 10:50 AM   #7 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
bad luck. could not delete any of those files. please can anyone help me?
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2006, 02:04 PM   #8 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Sorry for the delay, you must understand that all the analysts here are volunteers, there is a time difference between our two countries, and for many of us here in the US today is a religious holiday (Easter).

If you are sure you have properly killboxed the files in the Panda log you are all clean.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
  • Tick the checkbox - Turn off System Restore on all drives
  • Click Apply
  • Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 06:17 AM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


**Moderator's Note: User began a new thread prior to Vikesrock8411 last post. Threads have been merged.**
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 06:46 AM   #10 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Grin HJT Log (urgent) Thank You My Friend
Hi Vikesrock8411,
At the very begining I would like to offer you my sincere apologies for my overt zealousness and assuming that this apology is accepted (as you are a very kind hearted person ) I would like to wish you HAPPY EASTER (beleted, apologies again!!!). My anxiety was mainly driven by this fact that I was new to this forum (and to be honest, any forum- this is my first) I was not really sure whether I was replying in proper manner . In future this will not happen.
Enyways,now regarding the files shown by Active Scan-

I tried to use killbox first as being detailed in one of your forum threads. I chose the option 'replace on reeboot' and under that 'replace with dummy' and checking the box 'end explorer shell while killing file' but that didnot work. I even tried to do that in safe mode but to vein (though this process worked fine with original cmb_12341 file). Then I chose 'standard file kill' and 'end explorer shell while killing the file'. This time it worked and I double checked by going to the windows folder whether the files were there or not. Though the program informed that a backup has been created but I couldn't find that. Could you please tell me where those might be? Then I downloaded all the softwares as you directed and installed them. Here also I had a problem and need your help. With Spyware Guard & Spyware Blaster, whenever I try to run them a windows opens up and tries to install Dictation2005. Even if I press 'cancel' it tries atleast twice or thrice. As SG is loaded at starup, after every boot the installer appears. Please help me with this.

Active Scan Log 1 (before installing SG and others)


Incident Status Location

Adware:adware/secure32 Not disinfected E:\WINDOWS\secure32.html
Adware:adware/cws.searchmeup Not disinfected E:\WINDOWS\uniq
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Administrator\Cookies\proma roy choudhury@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lry8oy48.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected E:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lry8oy48.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Com.com Not disinfected E:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lry8oy48.default\cookies.txt[.com.com/]
Possible Virus. Not disinfected D:\My Documents\My Completed Downloads\OS-Adobe_Acrobat 7.0 Pro_Tryout_to_Full_Activation.exe[run.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\My Documents\My Downloads\1. To BE WRRITTEN\smitRem\smitRem.exe[Process.exe]
Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lry8oy48.default\cookies.txt[]
Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Administrator\Cookies\proma roy choudhury@tribalfusion[1].txt
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt[{37159949-5FCF-4BA4-A7B7-F720EA34501A}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{2C20C2E6-EFE2-4234-A7EA-BC8834903B3C}\{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt[{F4E0F731-07BC-4AFF-9A5F-4F235200E92C}.txt]
Spyware:Cookie/Paypopup Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt[{560DCF33-C67E-4899-A3D8-B65F6A972FF1}.txt]
Spyware:Cookie/888 Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt[{5C527138-0ADE-45EC-8411-150F87E7FA25}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{CF53017D-E377-4B2F-B897-7CC922467E35}.txt[{CF53017D-E377-4B2F-B897-7CC922467E35}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{56813E67-9032-4598-AC7B-2EE7FCD27806}\{DF341150-DA84-41E3-8456-854D5A0943BF}.txt[{DF341150-DA84-41E3-8456-854D5A0943BF}.txt]
Spyware:Cookie/YieldManager Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt[{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{36DC5134-6453-45B6-A634-CBA912679548}.txt[{36DC5134-6453-45B6-A634-CBA912679548}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt[{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt]



Active Scan Log 2( After deleting the files and installing SG)

Incident Status Location

Adware:adware/powerstrip Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected D:\My Documents\My Downloads\1. To BE WRRITTEN\smitRem\smitRem.exe[Process.exe]
Spyware:Cookie/YieldManager Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt[{0ED94141-4F4D-4D3A-9D9F-D50FD172E731}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{36DC5134-6453-45B6-A634-CBA912679548}.txt[{36DC5134-6453-45B6-A634-CBA912679548}.txt]
Spyware:Cookie/Belnk Not disinfected E:\Program Files\iolo\System Mechanic Professional 6\Undo\Sched\{F541538C-E618-49E4-B441-464130524BAF}\{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt[{A8AFCF8F-CF9D-432B-9CB8-67C1F2BA0AC6}.txt]


I have deleted the files but what to do abot powerstrip I could not understand. I could not find it too. Please see if you do anything. ( though I know you can )

After deleting files, I again ran Panda Scan twice to find to my horror that there are again spywares. I am posting that log too for your kind attention. Again I deleted Files using killbox using 'standard kill'. Then I ran a CleanUp and went for another scan. That log also I am posting.
Regarding other softwares according to your advice, I already have AVG ANTIVIRUS, ZONE ALARM FIREWALL, AD-AWARE SE 1.06 & SPYBOT S&D installed and they are regurarly (and relegiously) updated.
I know again I may have some problems, BUT THIS TIME I AM NOT WORRIED 'CAUSE I KNOW A FRIEND IS OUT THERE TO BAIL ME OUT OF THIS SITUATION.

Thank You Very Much My Dear Friend. And I wish that I could join your team and help others like me out there and eradicate the real fear of loosing identity in this virtual world.
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 06:52 AM   #11 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Please read last but one paragraph (After deleting........THIS SITUATION) as the third paragraph, ie, preeciding scan logs. Sorry for this goof up -:).
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 08:06 AM   #12 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Another small question: I have a-squared free installed. Does it really help or its better to uninstall it?
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 10:37 AM   #13 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Your apology is indeed accepted, most of us analysts got into this job by having a problem of our own that we got help with, so I know what you are going through.

Just a reminder, the HJT_CS software you downloaded is not needed to clean your PC. If you have not done so already, please delete this software.

That last Panda scan is actually clean. The powerstrip entry is an orphaned registry entry and poses no threat to your system. Because Panda is not giving us a location digging it out would be a lot of work and potentially harmful.

The other entries are one False Positive on smitrem and backup files created by System Mechanic 6. These are also not dangerous and there is no need to worry.

The backups created by Killbox should be located either in C:\!Killbox or C:\!Submit depending on the version of Killbox you are using.

Now we need to find out what is going on with Spyware Blaster and Spyware Guard.

Open HijackThis, click Config, then click Misc Tools.
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 08:33 PM   #14 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
HJT log (very urgent)
Good Morning,
Thank You your lordship for accepting my apologies . But seriously I am really thanful to you and this forum has already grown as a habit in me.
Now back to business. Please find the uninsstall list below:


2d3 SteadyMove for Adobe Premiere Pro
3 Premiere Plug-Ins 1.00
Ad-Aware SE Professional
Adobe Acrobat 7.0 Professional
Adobe After Effects 6.5
Adobe Premiere Pro 1.5
Adobe Reader 7.0.5
Advanced RAR Password Recovery (remove only)
a-squared Free 1.6.1
AVG Anti-Virus 7.1
Avid DIO Runtime
Avid DNADiags
Avid Xpress Pro HD
Bridge Baron 16
CD Indexer V4.0.0.41
CleanUp!
ClearType Tuning Control Panel Applet
CorelDRAW Graphics Suite 12
DFX for Winamp
Dictation2005
First Step Guide
Free Download Manager 2.0
FreshDiagnose
FreshUI
Google Toolbar for Internet Explorer
Google Web Accelerator
HijackThis 1.99.1
Hitman: Contracts
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB898900)
Hotfix for Windows XP (KB904412)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB907865)
Internet Download Accelerator version 5.0
iolo technologies' System Mechanic Professional 6
IsoBuster 1.9
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 3
Learn to Play Bridge
LimeWire PRO 4.10.9
LiveReg (Symantec Corporation)
Magic Bullet Editors Premiere
MainConcept MPEG Pro for Adobe Premiere Pro 1.06
Microsoft .NET Framework 2.0
Microsoft Interactive Training
Microsoft Office 2000 Professional
Microsoft Office XP Standard for Students and Teachers
Mozilla Firefox (1.5.0.1)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Demo
ObjectDock
ObjectDock Plus
Opera
Panda ActiveScan
Registry First Aid
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913446)
Sony USB Driver
SpywareBlaster v3.5.1
SpywareGuard v2.2
Tata Indicom Broadband Manager
Update for Windows XP (KB896427)
Update for Windows XP (KB897663)
Update for Windows XP (KB908521)
VIA Vinyl Audio Codecs Driver Setup Program
VIA/S3G Display Driver
Weather1
Winamp (remove only)
WindowBlinds
Windows Defender Signatures
Windows Media Encoder 9 Series
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884883
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890831
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB894395
Windows XP Hotfix - KB896626
WinMorph™ 3.01
WinZip
Yahoo! Central
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Widget Engine
Yahoo! Widget Engine
ZoneAlarm Pro


Regarding you other advices, I have already deleted HJT_CS. I have found out the back folder and deleted the backup. In the meantime while searching for backup I found out a small file kl1.exe. It seemed as a virus/unwanted to me by the proprty so i kilboxed it. it was found in two places, at my OS partition E:\windows and C:\. Though AVG scanned it clean. What was it? I found two other files with no specific author description ckrfresh.exe choice.exe, both DOS application. Are they safe?
You did not tell me anything about confusion regarding the process of killboxing and regarding a-squared free. Could you please clarify this time?

Thank you.
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2006, 08:36 PM   #15 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
oh!! another thing- I have deleted the system mechsnic backups. You know just tried to wipe every trace of those nightmares -:)
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-18-2006, 10:30 AM   #16 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Regarding Killbox: Killbox is a very powerful, dangerous tool that we use to kill files. For the vast majority of files if you use Killbox at all, a simple "Standard File Kill" will get the job done. I do not recommend, however, that you use Killbox on your PC without researching the files thoroughly first.

Regarding A-Squared: Although A-Squared is a good program for the prevention of Spyware it looks like you would probably be adaquately protected without it. In the end the choice is really up to you.

If you do not have the software to reinstall Dictation 2005 DO NOT follow these instructions. Please let me know if this is the case.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Dictation2005
SpywareBlaster v3.5.1
SpywareGuard v2.2

Reboot your system and begin reinstall the programs one at a time, rebooting after each one. Let me know if the problem still exists.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-19-2006, 05:39 AM   #17 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Thumbs Up HJT Log (very urgent)
Hi Vikesrock8411,
Sorry for this delay in replying. Only getting time during the evening to work on my PC.

As you adviced I have done accordingly and the problem is solved. Thank You Very Much.

Regarding kl1.exe you did not write anything directly. So I googled it and found it being regarded as a malware. I am enclosing the description to share with you.

http://fileinfo.prevx.com/QQd8821616...9/KL1.EXE.html



DEFINITION OF: KL1.EXE

* Safety Rating: Known Malware, do not run
* Malware Family: Part of Malware group - w32 Troj Dwnldr Gen
* Malware Form: EXPLOIT
* Protection: Prevx1 will protect, disinfect, cleanup and remove KL1.EXE
* Non Prevx Users: New users may remove KL1.EXE with the trial versions of Prevx1 or
free versions of Prevx1R
* First seen: Apr 3 2006 (GMT)
* Last seen: Apr 3 2006 (GMT)
* File Size: 73,216 bytes

MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
1. COVERT ANALYSIS OF: KL1.EXE

* File Names Used: 21
* Paths Used: 9
* Common File Name: KL1.EXE
* Common Path: ?:\
* Vendor Information: No Vendor details specified
* KL1.EXE may use 21 or more path and file names, these are the most common:
* 1 :%CACHE%\CONTENT.IE5\????????\KFAZKW[1].TXT
* 2 :%CACHE%\CONTENT.IE5\????????\KL[1].TXT
* 3 :%CACHE%\CONTENT.IE5\????????\LWRQCO[1].TXT
* 4 :%CACHE%\CONTENT.IE5\????????\LWRQCO[2].TXT
* 5 :%localsettings%\temporary...s\content.ie5\ktu9c7ob\QLGSAMY[1].TXT
* 6 :%localsettings%\temporary...s\content.ie5\mng3czwl\LWRQCO[1].TXT
* 7 :%localsettings%\temporary...s\content.ie5\mng3czwl\LWRQCO[2].TXT
* File Name Structure: Common
* File and Path Structure: Suspicious, unusually high number of file and path
combinations

2. RELATIONSHIP ANALYSIS OF: KL1.EXE

* Malicious Objects Created: 4 objects
* Malicious Creators: 2
* Malware Run Keys: Creates registry run keys for known malware objects
* Self Persists:
* Antivirus Detection: No third party antivirus detection observed
* Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: KL1.EXE

* The following behaviors have been observed for this object:
* Installs programs.
* Deletes programs.
* Creates Run Keys.
* Runs other programs.
* Communicates with web sites using httpout protocols.
* Has outbound communications.
* Creates registry entries.
* Creates run keys for known malware.
* Creates known malware.

4. PROPAGATION ANALYSIS OF: KL1.EXE

* Malware Group Propagation Rate: Moderate (spreading)
* Malware Group: w32 Troj Dwnldr Gen
* Copyright Prevx Limited 2005, 2006

Though I still don't understand why AVG did not pick it up. Another thing- I found one file ie-spayed zo but didn't clearly understand what it is. Since you said about ie-spayed so I ran that only. Do I need to run ie-spayed zo?

What about a-squared? Do I need that anymore?

Thank you again for what you have done and for those yet to come.
Last edited by src2206; 04-19-2006 at 06:00 AM. Reason: spelling mistake
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-19-2006, 05:49 AM   #18 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Thumbs Up
Oh, Another small thing- I have activated 'teatime' from spybot S&D. But do I really need to keep it running simultaneously with SpyGuard, AVG Control Center and Zone Alarm ? Please advice.
Last edited by src2206; 04-19-2006 at 05:57 AM.
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-19-2006, 07:54 AM   #19 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Nice research on KL1.exe, I did indeed look and see it was spyware, since you had already removed it, I did not include it in my reply.

IE-Spyad ZO is a different version for use with Zone Out. DO not worry about this, if you ran the regular IE-Spyad you are all set.

I would personally get rid of A-squared and keep Teatimer. Teatimer is a very powerful tool that protects your registry from unauthorized changes.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-19-2006, 09:55 AM   #20 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,057
OS: WinXP Pro SP2, Edubuntu 7.10

My System

Send a message via Yahoo to src2206
Thumbs Up HJT Log (very urgent)
HIIIIIII Vikesrock8411
Getting bit imotional I must say. For last few days it was really a ritual for me check for a new post from you and whenever I saw one my heart leaped with hope and joy. Honestly, I can never really thank you enough for whatever you have done.


I sincerely wish to join you people though I don't know whethere technically it is feasible or not.

Thank you to you as well as to all who work to keep this forum going.

HATS OFF
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:32 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84