Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:31:59 PM, on 10/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.125.79.1:444
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Shortcut to Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Startup: Start Changing Now ....lnk = C:\Program Files\Wallpaper Changer\WallPaper.exe
O4 - Startup: StealthBot v2.6 Revision 3.lnk = C:\Program Files\StealthBot\StealthBot v2.6R3.exe
O4 - Startup: UltimateBot.exe.lnk = C:\Program Files\UltimateBot\UltimateBot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4520E-2D8C-476F-BCAC-ADBD25D2F6DD}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


Is there anything im missing? thanks in advance
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Your HJT log was taken from Safe Mode. It's not relecting the true state of affairs in your PC. We'll require one from Normal Mode.

Before doing so, please perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
Incident Status Location

Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\AdCache
Adware:adware/elitebar No disinfected C:\WINDOWS\EliteSideBar
Adware:adware/beginto No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-3e55e6eb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-3e55e6eb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-3e55e6eb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-3e55e6eb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-574e874e.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-574e874e.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-574e874e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-574e874e.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-56b33157.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-56b33157.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-56b33157.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-56b33157.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-23eb2951.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-23eb2951.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-23eb2951.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-23eb2951.zip[Beyond.class]
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\JMH85FBZ\hsrb[1].cab[hsrb.dll]
Adware:Adware/SAHAgent No disinfected C:\temp\sahagent-cdt1004.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\temp.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello dcmsm,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download EliteToolbar Remover http://www.simplytech.it/ETRemover/index_e.htm

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run ETRemover.exe now. When it's done, follow the prompts, but don't restart yet. Do the below fixes first.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\temp\sahagent-cdt1004.exe
C:\WINDOWS\system32\temp.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following Folders:

C:\WINDOWS\EliteSideBar
C:\WINDOWS\SYSTEM32\AdCache

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Normal Mode.

Run another scan with Panda and post the results here along with a new HijackThis log from Normal Mode.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #5 · (Edited)
Thanks for the help so far.

I did most of your report at once then put off scanning again with the online virus scanner for about 3 days I think.

Virus scanner log:

Incident Status Location

Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\temp.exe

I'm not sure whether or not I forgot to delete this or whether it came back, but I did go back and delete it in safemode with the program you gave me, then scanned again, and now it's gone. Before I did the second scan, a window popped up and informed me that there was an error in lass.exe or lsass.exe (not sure which, i didnt look carefully enough) and a timed shutdown box appeared, which i aborted with start > run > shutdown -a.

This is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:31 PM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.100.138.124:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Shortcut to Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Startup: Start Changing Now ....lnk = C:\Program Files\Wallpaper Changer\WallPaper.exe
O4 - Startup: StealthBot v2.6 Revision 3.lnk = C:\Program Files\StealthBot\StealthBot v2.6R3.exe
O4 - Startup: UltimateBot.exe.lnk = C:\Program Files\UltimateBot\UltimateBot.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130765634796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4520E-2D8C-476F-BCAC-ADBD25D2F6DD}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache2 - Unknown owner - C:\apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello dcmsm,

Microsoft Windows Update
Visit windowsupdate.com http://www.windowsupdate.com/ . This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Run this removal tool from Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

If it doesn't find anything, please do the following:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #7 ·
sorry, ive been occupied for a bit.

the removal tool found nothing, so heres the log:

StartDreck (build 2.1.7 public stable) - 2005-12-01 @ 03:39:18 (GMT +11:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Richard at RICH

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
*RunNarrator=Narrator.exe
»Local Machine
»Run
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*SoundMan=SOUNDMAN.EXE
*SiSUSBRG=C:\WINDOWS\SiSUSBrg.exe
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*CTHelper=cthelper.exe
*PcSync=PCsync.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*dsktrf.ohb.1/{285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824}
`InprocServer32=C:\WINDOWS\System32\hsrb.dll
*ST/{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
`InprocServer32=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
*Jccatch.IeCatch2.1/{A5366673-E8CA-11D3-9CD9-0090271D075B}
`InprocServer32=C:\PROGRA~1\FlashGet\jccatch.dll
*MSNToolBandBHO/{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
`InprocServer32=C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
*{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
`InprocServer32=
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=
*Search Page=http://ie.search.msn.com
*Start Page=about:blank
*SearchAssistant=http://ie.search.msn.com
+SearchUrl
*provider=MSN
*=http://home.microsoft.com/access/autosearch.asp?p=%s
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/en-us/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Richard\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Shortcut to Xfire.lnk
*C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Start Changing Now ....lnk
*C:\Documents and Settings\Richard\Start Menu\Programs\Startup\StealthBot v2.6 Revision 3.lnk
*C:\Documents and Settings\Richard\Start Menu\Programs\Startup\UltimateBot.exe.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+444=\SystemRoot\System32\smss.exe
+500=\??\C:\WINDOWS\system32\csrss.exe
+524=\??\C:\WINDOWS\system32\winlogon.exe
+568=C:\WINDOWS\system32\services.exe
+580=C:\WINDOWS\system32\lsass.exe
+732=C:\WINDOWS\System32\Ati2evxx.exe
+772=C:\WINDOWS\system32\svchost.exe
+832=C:\WINDOWS\System32\svchost.exe
+916=C:\WINDOWS\System32\svchost.exe
+944=C:\WINDOWS\System32\svchost.exe
+1172=C:\WINDOWS\system32\Ati2evxx.exe
+1232=C:\WINDOWS\Explorer.EXE
+1452=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+1472=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+1580=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+1592=C:\WINDOWS\SOUNDMAN.EXE
+1624=C:\WINDOWS\System32\wdfmgr.exe
+1684=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+1712=C:\WINDOWS\System32\ctfmon.exe
+1836=C:\Program Files\Xfire\Xfire.exe
+216=C:\Program Files\Wallpaper Changer\WallPaper.exe
+504=C:\Program Files\StealthBot\StealthBot v2.6R3.exe
+812=C:\Program Files\UltimateBot\UltimateBot.exe
+1200=C:\Program Files\Starcraft\BWLauncher.exe
+628=C:\Program Files\MSN Messenger\msnmsgr.exe
+212=C:\Program Files\Mozilla Firefox\firefox.exe
+632=C:\Program Files\Winamp\winamp.exe
+1924=C:\Documents and Settings\Richard\Desktop\StartDreck-1\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Welcome back :smile:

You should still have the ETRemover that you downloaded a couple weeks ago. In case you no longer do, here is the link once again: Download EliteToolbar Remover Do not run it yet.

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*dsktrf.ohb.1/{285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824}
`InprocServer32=C:\WINDOWS\System32\hsrb.dll

*{ED103D9F-3070-4580-AB1E-E5C179C1AE41}

To make it easier, I suggest doing a search for the above line (in the forum here) so that you have a rough idea of where it's located in the StartDreck program.

Reboot into Safe Mode and Run ETRemover.exe /B]now. When it's done, follow the prompts.

I'd like you to use a different online scanner this time:

Perform an online scan using Internet Explorer with [URL=http://www.kaspersky.com/virusscanner]Kaspersky WebScanner


You will be promted to install an ActiveX component from Kaspersky, Click Yes.
*The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
*Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
*Now under select a target to scan:
*Select My Computer
*This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected.
*Now click on the Save as Text button:
*Save the file to your desktop.
*Copy and paste that information in your next post along with a new HijackThis log.

How is your system running now?
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top