Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter #1
Hi, thanks for being there! :wave:

My system is xp sp-2. Followed all instructions. Scan logs follow.

Thanks again for your help!

Regards, Bfree

Deckard's System Scanner v20070809.63
Run by afriscribe on 2007-08-17 at 01:49:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as afriscribe.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:21 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Qlock\qlock.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Documents and Settings\afriscribe\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\afriscribe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.community.tsiyon.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stardownloader.com/contact.php
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.paltalk.com/wcloader_prod/wcloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB9DD98-66E4-423B-8191-B9FBD431C3E4}: NameServer = 209.244.0.3 209.244.0.4
O20 - AppInit_DLLs:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

--
End of file - 5803 bytes

-- Files created between 2007-07-17 and 2007-08-17 -----------------------------

2007-08-17 01:50:25 0 d-------- C:\Program Files\Trend Micro
2007-08-17 01:38:33 21312 --a------ C:\WINDOWS\choice.exe
2007-08-17 01:22:20 0 d-------- C:\ie-spyad
2007-08-17 01:11:27 0 d-------- C:\Program Files\SpywareBlaster
2007-08-16 22:24:34 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-16 22:24:32 0 d-------- C:\WINDOWS\LastGood
2007-08-15 17:31:03 0 d-------- C:\Program Files\NoAdware5.0
2007-08-04 14:12:07 0 d-------- C:\Program Files\a-squared Free
2007-08-04 10:26:23 0 d-------- C:\Program Files\Free Registry Fix
2007-07-27 14:04:50 0 d-------- C:\Documents and Settings\afriscribe\Application Data\Paltalk
2007-07-27 14:04:45 0 d-------- C:\Program Files\Paltalk Messenger
2007-07-27 13:14:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Paltalk Web Client


-- Find3M Report ---------------------------------------------------------------

2007-08-17 00:46:43 0 d-------- C:\Program Files\QuickPDF to WORD
2007-08-17 00:46:42 0 d-------- C:\Program Files\Qlock
2007-08-17 00:43:46 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-08-17 00:41:39 0 d-------- C:\Program Files\ewido anti-spyware 4.0
2007-08-14 18:48:35 0 d-a------ C:\Program Files\E-Sword
2007-08-10 20:51:53 0 d-------- C:\Documents and Settings\afriscribe\Application Data\AVG7
2007-08-10 16:12:16 0 d-------- C:\Program Files\Lx_cats
2007-07-15 12:09:02 0 d-------- C:\Documents and Settings\afriscribe\Application Data\AdobeUM
2007-07-02 16:41:34 0 d-------- C:\Documents and Settings\afriscribe\Application Data\ArcSoft
2007-07-02 16:31:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-02 16:27:29 0 d-------- C:\Program Files\ArcSoft
2007-07-01 10:29:08 0 d-------- C:\Program Files\InstantFileRecovery
2007-06-24 11:38:41 0 d-------- C:\Program Files\WordMagus
2007-06-24 10:02:27 0 d-------- C:\Program Files\OverDrive ReaderWorks
2007-06-24 09:54:05 0 d-------- C:\Program Files\Common Files
2007-06-24 09:54:05 0 d-------- C:\Program Files\Common Files\OverDrive Shared
2007-05-28 20:03:04 2528 --a------ C:\Documents and Settings\afriscribe\Application Data\$_hpcst$.hpc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 04:50 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/17/2007 12:04 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=




-- End of Deckard's System Scanner: finished at 2007-08-17 at 01:52:47 ---------


Incident Status Location

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\afriscribe\Cookies\[email protected][1].txt
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Might also find the Setup readme useful. It is
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Congratulations
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Questionnaire
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Might also find the Setup readme useful. It is
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Congratulations
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: Questionnaire
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Might also find the Setup readme useful. It is
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Congratulations
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Questionnaire
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Might also find the Setup readme useful. It is
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Congratulations
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Questionnaire
Virus:W32/ZLFake.A.drp Disinfected C:\WINDOWS\system32\xWFt83Kg.exe
 

Attachments

·
Registered
Joined
·
2,506 Posts
Hello, and welcome to the HijackThis Help Forum.

Apologies for any delay in replying, but we have been rather busy lately. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please let me know if you still need help and I will assist you. I am subscribed to this thread so I will see any reply you make.

While you are waiting for my reply, you may also want to read "Who is Helping you?", which will help you understand where we go from here.

Thank you.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top