Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages V  < 1 2 3 >  
Closed TopicStart new topic
> Maleware Problems, Need help removing what ever it is.
Rahina
post May 13 2007, 12:04 PM
Post #16


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Well done smile.gif

Step #1

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #2

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\WINDOWS\system32\eboinupw.dll

When you are ready with that, please Re-scan With Deckard's system scan and post a fresh Main.txt Logfile in your next reply.

Thanks smile.gif


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 13 2007, 02:11 PM
Post #17


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-13 at 14:06:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:06:29 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-13 and 2007-05-13 -----------------------------

2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-13 at 14:07:00 ---------
Go to the top of the page
 
+Quote Post
Rahina
post May 13 2007, 02:24 PM
Post #18


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Looks good.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #2

Download ATF-Cleaner by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step #3

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report

Let me know how things are now smile.gif


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 13 2007, 04:55 PM
Post #19


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Things seem to be getting better, but they never were to bad. Here is the report:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Rob Heidemann\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine\fbinvins.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine\genpewri.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Go to the top of the page
 
+Quote Post
Rahina
post May 14 2007, 10:46 AM
Post #20


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Glad to hear things are running better smile.gif

Please Locate Doctor Web's Quarantine Folder:

Remove everything inside of this folder.

C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\WINDOWS\nircmd.exe

Please Re-scan One more time with Deckard's system scanner and post a fresh Main.txt

Thanks


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 14 2007, 06:26 PM
Post #21


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-14 at 18:22:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:22:40 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
R3 - URLSearchHook: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-14 and 2007-05-14 -----------------------------

2007-05-13 21:12:04 0 d-------- C:\Program Files\Star_Media_Tuner
2007-05-13 15:47:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-13 16:09:02 0 d-------- C:\Program Files\Lexmark 3100 Series
2007-05-13 16:07:51 0 d-------- C:\Program Files\ID3man
2007-05-13 16:05:59 0 d-------- C:\Program Files\ATI Multimedia
2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{073a0daa-e2e0-4b30-b256-a19a5a456702} C:\Program Files\Star_Media_Tuner\tbStar.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-14 at 18:23:07 ---------
Go to the top of the page
 
+Quote Post
Rahina
post May 14 2007, 11:56 PM
Post #22


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Good, How are things now ?


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 15 2007, 04:04 PM
Post #23


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Things seem normal again. Haven't noticed any pop ups or redirects lately! Thanks so much, hopefully I don't do anything stupid like that again!
Go to the top of the page
 
+Quote Post
Rahina
post May 15 2007, 11:26 PM
Post #24


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Good smile.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore.
If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above
  1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
  2. From within Internet Explorer click on the Tools menu and then click on Options.
  3. Click once on the Security tab
  4. Click once on the Internet icon so it becomes highlighted.
  5. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install AVG Anti-Spyware - Install and download AVG Anti-Spyware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using AVG Anti-Spyware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Let me know if you still receive problems smile.gif


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 20 2007, 09:19 PM
Post #25


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Hello! I am hoping you or someone there can help me one more time! I clicked on a link again (I don't know why I'm so stupid!) and it started to do its thing, but I interrupted it. I also deleted anything I could find of the program, but I'm sure there is still some debris left on my computer. The only problems I notice is the computer don't seem to want to shut down and the Task Manager was disabled. I did get the Task Manager fixed by myself! If you could help me once more I'd so appreciate it! Thanks, Rob
Go to the top of the page
 
+Quote Post
Rahina
post May 21 2007, 12:31 AM
Post #26


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Oh.. mellow.gif

Run Deckard's System Scanner.

Post a fresh Main.txt in your next reply.

Thank you.


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 21 2007, 05:10 PM
Post #27


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-21 at 17:05:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:05:41 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
R3 - URLSearchHook: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-21 and 2007-05-21 -----------------------------

2007-05-19 21:42:41 0 d-------- C:\Program Files\Bifrost
2007-05-19 21:42:41 22040 --a------ C:\Documents and Settings\Rob Heidemann\Application Data\addon.dat
2007-05-19 21:42:38 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-05-19 21:41:40 1195967 --a------ C:\server.exe
2007-05-17 19:27:06 36864 --a------ C:\WINDOWS\system32\sp2.exe <Not Verified; Olympus 400; Project1>
2007-05-16 15:32:10 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\WinPatrol
2007-05-16 15:32:06 0 d-------- C:\Program Files\BillP Studios
2007-05-13 21:12:04 0 d-------- C:\Program Files\Star_Media_Tuner
2007-05-13 15:47:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint


-- Find3M Report ---------------------------------------------------------------

2007-05-20 21:05:41 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-20 18:01:41 0 d-------- C:\Program Files\mIRC
2007-05-16 15:47:21 0 d-------- C:\Program Files\SpywareBlaster
2007-05-13 16:09:02 0 d-------- C:\Program Files\Lexmark 3100 Series
2007-05-13 16:07:51 0 d-------- C:\Program Files\ID3man
2007-05-13 16:05:59 0 d-------- C:\Program Files\ATI Multimedia
2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 21:29:52 0 d-------- C:\Program Files\Skype
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{073a0daa-e2e0-4b30-b256-a19a5a456702} C:\Program Files\Star_Media_Tuner\tbStar.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-21 at 17:06:06 ---------
Go to the top of the page
 
+Quote Post
Rahina
post May 22 2007, 12:13 AM
Post #28


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Hello!

Step #1

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step #2

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #3

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
IowaGuy
post May 22 2007, 06:02 PM
Post #29


Member
**

Group: Members
Posts: 19
Joined: 11-May 07
From: Iowa
Member No.: 130,319
Here is the Active Scan for ya!

Incident Status Location

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.go.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bravenet.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Rob Heidemann\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Virus:W32/MsnPhoto.A.worm Disinfected C:\Documents and Settings\Rob Heidemann\Local Settings\Temporary Internet Files\Content.IE5\RWWOO15E\fotos_posse[1].zip[Mis imágenes/yo_posse_007.jpg.exe]
Virus:Bck/Bifrose.ATW Disinfected C:\Program Files\Bifrost\server.exe
Virus:Bck/Bifrose.ATW Disinfected C:\server.exe
Virus:Trj/Agent.EAZ Disinfected C:\VundoFix Backups\rgjaaklt.dll.bad
Virus:W32/MsnPhoto.A.worm Disinfected C:\WINDOWS\system32\sp2.exe
Go to the top of the page
 
+Quote Post
Rahina
post May 24 2007, 07:51 AM
Post #30


Security Helper
*****

Group: HJT Team
Posts: 681
Joined: 6-September 06
From: Finland
Member No.: 83,926
Hello, Sorry For the delay getting to you.

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Documents and Settings\Rob Heidemann\Local Settings\Temporary Internet Files\Content.IE5\RWWOO15E\fotos_posse[1].zip

Please Locate the following folders:

C:\Program Files\Bifrost

Delete that folder if found.

C:\VundoFix\Backups

Empty it, ( Delete everything inside )

Go to Virustotal
Copy the following to the box next to "Browse" button:
  • C:\WINDOWS\system32\sp2.exe
Click on Send, Wait for the scan to end.

Let me know the results.

This post has been edited by Rahina Rescue: May 24 2007, 07:53 AM


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.


Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »
 

3 Pages V  < 1 2 3 >
Closed TopicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 22nd November 2009 - 01:32 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.