Tech Support Forum banner
Cancel

Search Hijacked and pc slightly sluggish

Jump to Latest Follow
Status
Not open for further replies.
1 - 6 of 6 Posts
M

· Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Hi this is my first post and im sorry if I have done anything wrong.

I am usualy pretty good at removing spyware etc. but I seem to have a real stubben one here. When I use google to do a search a different page will be returned. I have done all the scans in safe mode using Adaware, Spybot, Avg spyware and Avg virus. I have also done a couple of the online scans.

Each of the virus scans found a trojan. One of the sites I used told me to manualy remove the trojan by going to the control panel - Java console then the Cach tab and deleting the cach. But I dont seem to have a Cach tab on the Java control panel? So I followed the path of the trojan and just deleted the files. But after doing another avg spyware in safe mode there was another trojan.

These are the paths of the Trojans.

app data\sun\java\deployment\cach\javapi\jar\ejs.jar-276a9113259504ab.zip

app data\sun\java\deployment\cach\javapi\jar\njs.jar-744ecf350d64784.zip

My pc at start up is also hanging for about 30 seconds in an unusual place I did msconfig and there is nothing new in there. It is also running slightly slower than normal.

This is the log.

Logfile of HijackThis v1.99.1
Scan saved at 12:10:08, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\WINDOWS\system32\ctfmon.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\oodag.exe
G:\WINDOWS\system32\slserv.exe
G:\WINDOWS\System32\snmp.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\System32\alg.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\System32\wbem\wmiprvse.exe
G:\WINDOWS\system32\devldr32.exe
G:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.co.uk/ws/eBayIS...e=&existingEmail=&isCheckout=&migrateVisitor=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All Links with IDM - G:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - G:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Aztec Riches Poker - {7FCF69CA-B1D5-4b13-A6B0-31020DD5A976} - G:\Program Files\aztecrichesMPP\MPPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} (Gif89 Class) - http://212.175.206.228/xplug.ocx
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_30.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106343709649
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/eng/domino_2_0_0_28.cab
O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.3/g_bin/eng/marbles_2_0_0_27.cab
O16 - DPF: {AD7013FF-1D9A-4F36-94A6-3CD408A663F9} (GameDesire BreakOut) - http://67.15.101.3/g_bin/eng/breakout_2_0_0_24.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{95E15EC4-BF9D-4071-8770-C5B1C47D5E8F}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D60FDE7-A0B6-46AC-AB63-BD310FF4C92D}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47E5A45-F4CA-4BC3-AB91-3E310C849D16}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CS3\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - G:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - G:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - G:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks for any help.

Mathew.
 
F

· Registered
Joined
·
2,337 Posts
#2 ·
Hello Matjoss, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

You have a Wareout infection. We must deal with this first and seperately as it can affect your internet connection. Once this is
cleaned, we can proceed with the rest of the system.


----------------------------------------


Fixwareout


Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

or

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

  • Save it to your desktop and run it.
  • Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin: Please follow the prompts.
  • You will be asked to reboot your compute: Please do so.
  • Your system may take longer than usual to load and this is normal.


Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O17 - HKLM\System\CCS\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{95E15EC4-BF9D-4071-8770-C5B1C47D5E8F}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D60FDE7-A0B6-46AC-AB63-BD310FF4C92D}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47E5A45-F4CA-4BC3-AB91-3E310C849D16}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
O17 - HKLM\System\CS3\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173


Please remember to close all other windows, including browsers then click Fix checked.




FOLLOW-UP

Please return and post these items:

Wareout log - (you can find it at C:\fixwareout\report.txt
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode


NOTE: Should you experience Internet Connection problems, please follow these directions

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection
or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the
radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
 
M

· Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
Requested logs

Hi thanks for the reply.

Here are the logs.


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdzpz.exe"

...
...
Reg Entries that were deleted
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
G:\WINDOWS\SYSTEM32\KDZPZ.EXE 63,506 2004-08-04

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...

******************************************************

Logfile of HijackThis v1.99.1
Scan saved at 23:32:10, on 02/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\oodag.exe
G:\WINDOWS\system32\slserv.exe
G:\WINDOWS\System32\snmp.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\system32\devldr32.exe
G:\Hijackthis\HijackThis.exe

O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All Links with IDM - G:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - G:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Aztec Riches Poker - {7FCF69CA-B1D5-4b13-A6B0-31020DD5A976} - G:\Program Files\aztecrichesMPP\MPPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} (Gif89 Class) - http://212.175.206.228/xplug.ocx
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_30.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106343709649
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/eng/domino_2_0_0_28.cab
O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.3/g_bin/eng/marbles_2_0_0_27.cab
O16 - DPF: {AD7013FF-1D9A-4F36-94A6-3CD408A663F9} (GameDesire BreakOut) - http://67.15.101.3/g_bin/eng/breakout_2_0_0_24.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - G:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - G:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - G:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

******************************************************

Thanks again for your help.
 
F

· Registered
Joined
·
2,337 Posts
#4 ·
Looks like we got the infection. Let's see what's hiding.


----------------------------------------


CLEAR JAVA CACHE

But I dont seem to have a Cach tab on the Java control panel?
Click to expand...
You won't have a cache tab. Please follow these instructions. The link will take you to Java's site with instructional diagrams.



See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup
)
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

----------------------------------------

ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\combofix.txt
Kaspersky scan
 
M

· Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
Logs

Hi Fredmh

I managed to do the Java cache and the Combofix but I had trouble doing the Kaspersky scan. I went to the site and clicked on the scan button the active x install bar appeared so I clicked on it and agreed the install but the whole process kept going around in circles and not getting anywhere.

I read the Kaspersky page which said I need administrative privileges to install the activeX control. I looked at my user profile and it says I am the computer administrator. So I have not been able to do this scan.

Here is the Combofix scan.

"MATHEW" - 07-01-03 18:08:34.17 Service Pack 2
ComboFix 07-01-03.2W-BetaE2 - Running from: "G:\Documents and Settings\MATHEW\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))


2007-01-02 23:17 <DIR> d-------- G:\fixwareout
2007-01-01 19:09 <DIR> d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2007-01-01 19:09 <DIR> d-------- G:\DOCUME~1\MATHEW\APPLIC~1\Simply Super Software
2007-01-01 17:41 <DIR> d-------- G:\Program Files\XoftSpySE
2007-01-01 17:22 <DIR> d-------- G:\Program Files\Daphne
2007-01-01 16:58 <DIR> d-------- G:\Program Files\SpywareBlaster
2006-12-31 11:01 <DIR> d-------- G:\WINDOWS\BDOSCAN8
2006-12-31 07:59 <DIR> d-------- G:\DOCUME~1\MATHEW\.housecall6.6
2006-12-30 19:00 <DIR> d-------- G:\Hijackthis
2006-12-30 18:48 <DIR> d-------- G:\Program Files\Browser Hijack Blaster
2006-12-30 01:18 <DIR> d-------- G:\WINDOWS\SxsCaPendDel
2006-12-30 01:18 <DIR> d-------- G:\Program Files\Windows Defender
2006-12-30 01:05 3,968 --a------ G:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-27 13:57 3,968 --a------ G:\WINDOWS\system32\drivers\avgclean.sys
2006-12-27 13:57 18,240 --a------ G:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-14 22:02 <DIR> d-------- G:\Program Files\Windows Media Connect 2
2006-12-14 22:00 <DIR> d-------- G:\WINDOWS\system32\drivers\UMDF
2006-12-05 20:14 <DIR> d-------- G:\Program Files\Diner Dash Flo on the Go


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-03 18:04 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\dmcache
2007-01-01 19:09 -------- d-------- G:\Program Files\trojan remover
2007-01-01 19:09 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\simply super software
2007-01-01 18:48 -------- d-------- G:\Program Files\trojanhunter 4.1
2007-01-01 18:14 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\azureus
2006-12-31 08:08 -------- d-------- G:\Program Files\internet download manager
2006-12-30 09:51 -------- d-------- G:\Program Files\pacificpoker
2006-12-30 01:05 -------- d-------- G:\Program Files\grisoft
2006-12-27 13:57 816672 --a------ G:\WINDOWS\system32\drivers\avg7core.sys
2006-12-27 13:57 4960 --a------ G:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-27 13:57 4224 --a------ G:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-27 13:57 28416 --a------ G:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-27 13:56 -------- d---s---- G:\DOCUME~1\MATHEW\Application Data\microsoft
2006-12-09 20:35 -------- d-------- G:\Program Files\ganymedenet
2006-12-09 12:36 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\zylom
2006-12-09 12:36 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\identities
2006-12-09 12:35 -------- d-------- G:\Program Files\zylom games
2006-12-05 20:15 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\playfirst
2006-12-03 00:25 -------- d-------- G:\Program Files\aztecrichesmpp
2006-12-02 22:52 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\microgaming
2006-12-02 22:28 -------- d-------- G:\Program Files\mgboss
2006-11-25 14:50 -------- d-------- G:\Program Files\zoom player
2006-11-25 14:10 -------- d-------- G:\DOCUME~1\MATHEW\Application Data\slysoft
2006-11-25 14:05 -------- d-------- G:\Program Files\slysoft
2006-11-20 20:58 -------- d-------- G:\Program Files\x-ways forensics
2006-11-20 20:52 -------- d--h----- G:\Program Files\installshield installation information
2006-11-20 20:52 -------- d-------- G:\Program Files\@stake
2006-11-20 20:51 -------- d-------- G:\Program Files\r-studio ntfs
2006-11-20 20:43 -------- d-------- G:\Program Files\accessdata
2006-11-20 08:42 33280 --a------ G:\WINDOWS\system32\snmp.exe
2006-11-20 00:16 -------- d-------- G:\Program Files\undisker
2006-11-19 13:53 -------- d-------- G:\Program Files\oo software
2006-11-19 00:36 -------- d-------- G:\Program Files\flvplayer
2006-11-19 00:20 -------- d-------- G:\Program Files\ace mega codecs pack
2006-11-18 21:38 -------- d-------- G:\Program Files\limewire
2006-11-18 17:41 -------- d-------- G:\Program Files\azureus
2006-11-18 16:58 -------- d-------- G:\Program Files\java
2006-11-11 12:58 -------- d-------- G:\Program Files\super collapse! 3
2006-11-11 12:51 -------- d-------- G:\Program Files\yahoo! games
2006-11-11 12:51 -------- d-------- G:\Program Files\trymedia
2006-11-08 05:06 679424 --a------ G:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ G:\WINDOWS\system32\msxml4.dll
2006-11-04 13:03 848 --ahs---- G:\WINDOWS\system32\kgygaavl.sys
2006-10-23 14:51 202424 --a------ G:\WINDOWS\system32\idmmbc.dll
2006-10-19 13:56 713216 --a------ G:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ G:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ G:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ G:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ G:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ G:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a------ G:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- G:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 757248 --a------ G:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a------ G:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- G:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 63488 --a------ G:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ G:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- G:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ G:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47 542720 --a------ G:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- G:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ G:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ G:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ G:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47 4096 --------- G:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47 4096 --------- G:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47 38400 --------- G:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ G:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ G:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ G:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ G:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ G:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ G:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- G:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 314880 --a------ G:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- G:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- G:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 276992 --a------ G:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ G:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- G:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072 --------- G:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072 --------- G:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 2450944 --a------ G:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ G:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ G:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ G:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ G:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --------- G:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 211456 --a------ G:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ G:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- G:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 179712 --a------ G:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ G:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- G:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1661440 --a------ G:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- G:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 157184 --a------ G:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ G:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- G:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912 --------- G:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632 --------- G:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 1329152 --a------ G:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47 132096 --------- G:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048 --------- G:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ G:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47 1117696 --a------ G:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47 101888 --------- G:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03 100864 --a------ G:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- G:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- G:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 12:33 6049280 --------- G:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- G:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- G:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ G:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ G:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --------- G:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ G:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ G:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ G:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- G:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ G:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ G:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ G:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ G:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ G:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ G:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ G:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ G:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ G:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ G:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ G:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ G:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --------- G:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- G:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ G:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- G:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ G:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ G:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- G:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ G:\WINDOWS\system32\ieakui.dll
2006-10-13 12:35 65536 --a------ G:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ G:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ G:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="G:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="G:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"G:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="G:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="G:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^BackUp Maker.lnk]
"backup"="G:\\WINDOWS\\pss\\BackUp Maker.lnkCommon Startup"
"location"="Common Startup"
"command"="G:\\PROGRA~1\\ASCOMP~1\\BACKUP~1\\bkmaker.exe "
"item"="BackUp Maker"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^e-Backup 1.42 Scheduler.lnk]
"backup"="G:\\WINDOWS\\pss\\e-Backup 1.42 Scheduler.lnkCommon Startup"
"location"="Common Startup"
"command"="G:\\WINDOWS\\Installer\\{CA217BDD-D941-454C-AA7E-C3ADA1648FE3}\\_3e121a49.exe /S"
"item"="e-Backup 1.42 Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="G:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaCafe.lnk]
"backup"="G:\\WINDOWS\\pss\\MetaCafe.lnkCommon Startup"
"location"="Common Startup"
"command"="G:\\Documents and Settings\\MATHEW\\My Documents\\Downloads\\Programs\\METACA~1.EXE /startup"
"item"="MetaCafe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="G:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="G:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^MATHEW^Start Menu^Programs^Startup^MetaCafe.lnk]
"backup"="G:\\WINDOWS\\pss\\MetaCafe.lnkStartup"
"location"="Startup"
"command"="G:\\Documents and Settings\\MATHEW\\My Documents\\Downloads\\Programs\\METACA~1.EXE /startup"
"item"="MetaCafe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="G:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Mixer"
"hkey"="HKLM"
"command"="Mixer.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="G:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mgboss"
"hkey"="HKLM"
"command"="G:\\Program Files\\Mgboss\\mgboss.exe -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FreeRAM XP Pro"
"hkey"="HKCU"
"command"="\"G:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IDMan"
"hkey"="HKCU"
"command"="G:\\Program Files\\Internet Download Manager\\IDMan.exe /onboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="g:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="g:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="G:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="G:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"G:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="G:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssmmgr"
"hkey"="HKLM"
"command"="\"G:\\WINDOWS\\Samsung\\LaserSMMgr\\ssmmgr.exe\" /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\TrojanHunter 4.1\\THGuard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Trjscan"
"hkey"="HKLM"
"command"="G:\\Program Files\\Trojan Remover\\Trjscan.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"g:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"g:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="G:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="G:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070102-233136-374
O17 - HKLM\System\CS3\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
backup-20070102-233136-551
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
backup-20070102-233136-562
O17 - HKLM\System\CCS\Services\Tcpip\..\{95E15EC4-BF9D-4071-8770-C5B1C47D5E8F}: NameServer = 85.255.113.146,85.255.112.173
backup-20070102-233136-737
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47E5A45-F4CA-4BC3-AB91-3E310C849D16}: NameServer = 85.255.113.146,85.255.112.173
backup-20070102-233136-972
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C2EDCC-5735-4C7C-AE39-95AFDEBF21E1}: NameServer = 85.255.113.146,85.255.112.173
backup-20070102-233136-341
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D60FDE7-A0B6-46AC-AB63-BD310FF4C92D}: NameServer = 85.255.113.146,85.255.112.173

Contents of the 'Scheduled Tasks' folder
G:\WINDOWS\tasks\MP Scheduled Scan.job
G:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-03 18:14:05.02


Thanks
Matt.
 
F

· Registered
Joined
·
2,337 Posts
#6 ·
I apologise for the delayed response.
Your logs are now clean. Please complete the next "housekeeping" steps and read through the information below.


----------------------------------------


CLEAR HJT BACKUPS

  • Open HiJackThis
  • Select View the list of backups
  • Select Delete All
  • Click Yes to accept deletion
  • After deletion, close HJT


Windows XP - Reset Hidden Files


  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

----------------------------------------

Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

  • To turn off System Restore click Start > Right Click My Computer > Properties.
  • Click the System Restore tab and Check
  • "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
  • When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

  • Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
  • Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
  • Click Apply, and then OK.

This will create a new Restore Point.

----------------------------------------

RE-ENABLE ANTI-SPYWARE APPLICATIONS

If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them

----------------------------------------

Please read through the following information to help protect your computer in the future.


KEEP YOUR OPERATING SYSTEM UPDATED

Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser
up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft
and download all the critical updates to help prevent possible re-infection.


ENABLE WINDOWS AUTO UPDATE

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".


ENABLE WINDOWS AUTO UPDATE

From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Select Custom Level .
      • Change 'Download signed ActiveX controls' to Prompt
      • Change 'Download unsigned ActiveX controls' to Disable
      • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
      • Change 'Installation of desktop items' to Prompt
      • Change 'Launching programs and files in an IFRAME' to Prompt
      • Change 'Navigate sub-frames across different domains' to Prompt
      • When all these changes have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Select OK to exit the Internet Properties page.



TOOLS TO HELP KEEP YOUR SYSTEM CLEAN

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
  • After you have updated, click the button - enable protection for all unprotected items


SpywareGuard to catch and block spyware before it can execute.


SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its
TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with
the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


AD-AWARE Download and install Ad-Aware. You should use this program to scan
your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product
can be found here


IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list.
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain

A tutorial for IE-SPYAD can be found here


MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file
with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to
those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
  • Click Next, click Next, select the option:
    "Show Extracted files"
  • Click Finish

This will open the newly created hosts folder on your Desktop.

Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated
HOSTS file to the correct location on your machine.


MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser)
which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem.
It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links.


ANTI-VIRUS AND FIREWALL PROGRAMS


ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial

Here are some very good free Antivirus products which are available:




If you do not have a firewall, here are 4 free ones available for personal use:

Understanding and Using Firewalls



INFORMATIONAL READING


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:




Please respond one more time and let me know you received this post so it can be marked resolved



If you feel that we have helped you, please help us keep this site free for all. Please visit our DONATION PAGE.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
About this Discussion
5 Replies
2 Participants
Last post:
fredmh
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top