Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trogan Dectection


  • This topic is locked This topic is locked
9 replies to this topic

#1 bluelurker

bluelurker

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:52 AM

Posted 20 December 2006 - 12:44 AM

Hope Im doing this right.

Os - windows XP home
PC - samsung R50 notebook
intelpent 1.73gig
1.00 gig ram
Goldtac firewall
Agv anti virus

Problem

Avg found five trogan infections in the following folders
Posted Image
Avg would not let me heal or move the trogans, so I selected ignore.
that made no difference so I once again ran virus test and tried to delete.
Now on my system I am unable to run some programs
Adaware - stalls and does not respond
spybot - stallsand does not respond
system machanic - stalls and does not respond
disck cleanup - has the following erroe message
Posted Image
have tried to use the suggested spyware cleaners on your site with no response or they will not operate correctly.
the first virus's detected was as followed
Posted Image
Posted Image
Posted Image
so looking forward to any help here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 2:07:16 PM, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.primusonline.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.primusonline.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GoldTach] C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B20A90E-9907-4A5E-B4AE-D67776B59AF0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{63931657-B599-48A4-93A0-07E59402C2F9}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{894AF2FE-A41B-49FA-A303-B9606E1EA1ED}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0991774-7270-4C8D-BC56-FF1E70314CA8}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C02D91-8C0A-4795-BE57-3397C0D59A7C}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2DEB9C1-D336-431A-8B10-69FB7D278D22}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4F0DB7-DF90-4071-9B57-1588579449F0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B20A90E-9907-4A5E-B4AE-D67776B59AF0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.150
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:52 AM

Posted 20 December 2006 - 02:20 AM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal.

At the end of the fix, you may need to restart your computer again. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B20A90E-9907-4A5E-B4AE-D67776B59AF0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{63931657-B599-48A4-93A0-07E59402C2F9}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{894AF2FE-A41B-49FA-A303-B9606E1EA1ED}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0991774-7270-4C8D-BC56-FF1E70314CA8}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C02D91-8C0A-4795-BE57-3397C0D59A7C}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2DEB9C1-D336-431A-8B10-69FB7D278D22}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4F0DB7-DF90-4071-9B57-1588579449F0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B20A90E-9907-4A5E-B4AE-D67776B59AF0}: NameServer = 85.255.115.30,85.255.112.150
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.150

Exit HijackThis. Reboot and post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:52 AM

Posted 20 December 2006 - 04:55 AM

Ok thanks for the quick response, here is the new HJT log


Logfile of HijackThis v1.99.1
Scan saved at 6:47:12 PM, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.primusonline.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GoldTach] C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUB

now the Fixwareout


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="cscpx.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}30EEEA98D9F7-1F9A-8CA4-1FE4-E2847314{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}16FE7EF0F812-CABA-64C4-4577-94F43767{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27BABE5F423D-ACE9-7114-BD41-4B571AC9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3465F8D3B65E-CABB-AD14-3A6B-D033F005{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4544DFF0DB79-05CB-6484-B54F-4C2A53B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B13DAC1CD727-6098-76D4-100D-C91B148E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCPX.EXE 51,731 2006-12-20

Other suspects.

Misc files.

Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...

Ok thats both logs as requested, just one question wil I have to reinstall the programs that dont run correctly or will this fix that problem as well.

Thank you for taking the time out to help with this problem.

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:52 AM

Posted 20 December 2006 - 01:54 PM

Hopefully not. Do this next. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:52 AM

Posted 20 December 2006 - 08:50 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:44:47 AM, on 21/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\SSUPDATE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUClientApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.google.com.au/imghp?ie=UTF-8...p;q=&tab=wi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GoldTach] C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

SUPERAntiSpyware Scan Log
Generated 12/21/2006 at 10:18 AM

Application Version : 3.4.1000

Core Rules Database Version : 3151
Trace Rules Database Version: 1167

Scan type : Complete Scan
Total Scan Time : 00:20:03

Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 5226
Registry threats detected : 0
File items scanned : 19499
File threats detected : 224

Adware.Tracking Cookie
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@valueclick[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@weborama[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@tacoda[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@112.2o7[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@stats01.pointshop[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@maxserving[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@tripod[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@list[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@please[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@data2.perf.overture[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@hitbox[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@statcounter[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[10].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@network.realmedia[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@2o7[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-fredericks.hitbox[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@tribalfusion[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@counter.credo[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@e-2dj6wfmiwiazefp.stats.esomniture[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@fcstats.bcentral[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@74613876[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.jouwstats[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@toplist[3].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@image.masterstats[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@vhost.oddcast[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@admarketplace[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.habbogroup[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cz6.clickzs[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.asiansexaction[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@advert.runescape[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@spylog[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-acdsystems.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[6].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.xxxmsncam[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@vip.clickzs[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ad.yieldmanager[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.mininova[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.us.e-planning[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@realmedia[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@data3.perf.overture[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[9].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@burstnet[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@perf.overture[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@dcsdvg3z3i3xh3jp3kuy1gkwj_4h6m[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@casalemedia[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@247realmedia[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@partypoker[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-ebsco.hitbox[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@e-2dj6wjlokpazkko.stats.esomniture[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@statse.webtrendslive[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@server.iad.liveperson[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@webstats4u[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@adopt.hbmediapro[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@sales.liveperson[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@mediaplex[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cz3.clickzs[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@e-2dj6wjmiclcpkbo.stats.esomniture[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@phpmv2[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@zedo[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@63068535[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@89451406[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@optimost[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@adecn[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@mb[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@atdmt[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.etopsex[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@webstat[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cz7.clickzs[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@gettyimages.122.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@medialab[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@toplist[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.pointroll[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@serving-sys[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.multimania.lycos[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@bravenetmedianetwork[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.burstbeacon[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@devart.adbureau[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@xml.bravenetmedianetwork[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.smartadserver[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.amaena[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@mb[3].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-sixapart.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@z1.adserver[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@bluestreak[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ads.gamershell[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@talkcity.realtracker[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@bs.serving-sys[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@please[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@mb[5].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ad1.clickhype[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@as1.falkag[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@drivecleaner[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@adserver[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@overture[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@rambler[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-wacomtechnology.hitbox[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@stats.drivecleaner[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[5].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[4].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@paypal.112.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@st[3].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@heavycom.122.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@please[3].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@edge.ru4[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@keywordmax[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@yadro[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ero-advertising[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cnn.122.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@mb[4].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@reduxads.valuead[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@vip2.clickzs[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@hc2.humanclick[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@securitycamsex[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@www.winantivirus[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@fortunecity[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@winantivirus[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@indexstats[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@rotator.adjuggler[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@sixapart.adbureau[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@91338698[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cgi-bin[8].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@shop.adultshop.com[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@adrevolver[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@questionmarket[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@revenue[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@40715998[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@hotlog[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@1066199638[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@ehg-uniontrib.hitbox[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@1066071051[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@paycounter[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@newt1.adultadworld[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@media.sensis.com[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@1065765484[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cpacampaigns.directtrack[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@cz5.clickzs[2].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@multiply.112.2o7[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@hg1.hitbox[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@banner-tiscali[1].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@toplist[4].txt
C:\Documents and Settings\Andrew hillier\Cookies\andrew hillier@track[2].txt
hope that helps...had a little trouble with spy thing it stalled twice...I think

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:52 AM

Posted 21 December 2006 - 02:41 AM

That's OK, just cookies. Do this. Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Post a final HJT log and let me know how it's running now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:52 AM

Posted 23 December 2006 - 09:42 AM

Sorry it has taken me so long to reply been very bussy at work and had some graphics to complete before xmas.
Thank you for all your help the system is running great once again, run the ss program and it did its thing...willpost a HJT log in the morning, when my brain is running on all cylinders.

Andrew

#8 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:52 AM

Posted 23 December 2006 - 11:18 PM

Well here it is
Logfile of HijackThis v1.99.1
Scan saved at 1:15:55 PM, on 24/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.google.com.au/imghp?ie=UTF-8...p;q=&tab=wi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primusonline.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GoldTach] C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tasi.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

No great hurry guys and thanks again
Have a very merry xmas and a great new year.

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:52 AM

Posted 24 December 2006 - 12:11 PM

Looks good - is everything working OK now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:52 AM

Posted 01 January 2007 - 02:49 PM

As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users