Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Utorrent.exe And Zlob.am+need Help To Remove


  • This topic is locked This topic is locked
11 replies to this topic

#1 andymirasol

andymirasol

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 07:39 AM

:thumbsup: Hi everyone, pleased to meet u all! after reading stuff and registering i do hope you can help me,i have tried all the programs listed, i got rid of alot of infections but i have 2 that will just not go away despite trying everything that i have read.
I seem to have 2 problems- uTorrent which i have found in c:windows/prefetch and something called zlob.am, i keep getting a little toolbar pop up in IE at top of screen saying i have infections and malware etc and my computer is very very slow. This is my hijackthis log,hop u can help guys, thanks Andy.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:44, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Movistar\Escritorio movistar\EMMSN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\My Folder\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunServices: [Microsoft Server Applacations] MineSweep.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD770D-871D-497B-B4BC-AE8671448551}: NameServer = 194.179.1.100 194.179.1.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O21 - SSODL: hupsrv - {6EBFEA48-8C34-45A6-939A-5EAE64B50D3E} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {D75CF859-89D4-453A-A3E6-C0EAAB073983} - C:\WINDOWS\bindmod.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6130 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 08:20 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum andymirasol :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 09:10 AM

hi richie heres the logs

ComboFix 07-11-02.3 - Andy 2007-11-03 14:57:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2576 [GMT 1:00]
Running from: C:\Documents and Settings\Andy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\bindmod.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\hupsrv.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\sdrmod.dll
C:\WINDOWS\search_res.txt
C:\WINDOWS\wtopmod.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 14:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 14:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 13:56 <DIR> d-------- C:\fsaua.data
2007-11-03 10:20 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Grisoft
2007-11-03 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-03 10:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-03 09:14 <DIR> d-------- C:\WINDOWS\EPSON PhotoStarter Essential
2007-11-03 09:14 <DIR> d-------- C:\WINDOWS\EPSON CardMonitor Essential
2007-11-03 09:14 <DIR> d-------- C:\Documents and Settings\Andy\Pavark
2007-11-02 16:37 <DIR> d-------- C:\Program Files\DivX
2007-11-02 16:10 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-11-02 16:10 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-11-02 16:10 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-11-02 16:10 6,272 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-11-02 16:09 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2007-11-02 16:08 315,392 --a------ C:\WINDOWS\HideWin.exe
2007-11-02 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 13:32 <DIR> d-------- C:\Program Files\EPSON Print CD
2007-11-02 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UDL
2007-11-02 13:32 131,072 --a------ C:\WINDOWS\system32\Epcmlib.dll
2007-11-02 13:30 <DIR> d-------- C:\Program Files\EPSON
2007-11-02 13:30 75,501 --a------ C:\WINDOWS\system32\EBPMON24.DLL
2007-11-02 13:30 64,000 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2007-11-02 13:30 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2007-11-02 13:30 31,744 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2007-11-02 13:30 182 --a------ C:\WINDOWS\system32\EBPPORT4.DAT
2007-11-02 13:24 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-02 13:24 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-02 12:45 1,764 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 12:44 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-02 11:35 <DIR> d-------- C:\Program Files\Webroot
2007-11-02 11:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-02 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-02 11:34 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Webroot
2007-11-01 20:17 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-01 20:17 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-01 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 20:16 2,220,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-01 20:16 59,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-01 16:33 286,720 --a------ C:\WINDOWS\advrepvto.dll
2007-11-01 15:06 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-11-01 14:50 <DIR> d-------- C:\Program Files\Intel
2007-11-01 14:48 <DIR> d-------- C:\temp
2007-11-01 14:48 <DIR> d-------- C:\Program Files\ASUS WiFi-AP Solo
2007-11-01 14:48 556,832 --a------ C:\WINDOWS\system32\drivers\aw5006.sys
2007-11-01 14:48 556,832 --a------ C:\WINDOWS\system32\aw5006.sys
2007-11-01 14:47 <DIR> d-------- C:\WINDOWS\system32\Attansic
2007-11-01 14:47 <DIR> d-------- C:\Program Files\Attansic
2007-11-01 14:47 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\InstallShield
2007-11-01 14:47 35,840 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys
2007-11-01 14:43 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-11-01 14:43 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2007-11-01 14:43 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2007-11-01 14:43 4,397,568 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-11-01 14:43 1,822,720 -r------- C:\WINDOWS\SkyTel.exe
2007-11-01 14:43 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2007-11-01 14:43 86,016 -r------- C:\WINDOWS\SoundMan.exe
2007-11-01 14:43 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-11-01 14:42 <DIR> d-------- C:\Program Files\Realtek
2007-11-01 14:42 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2007-11-01 14:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2007-11-01 14:42 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2007-11-01 14:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-01 14:32 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\AdobeUM
2007-11-01 14:26 <DIR> d-------- C:\WINDOWS\Cache
2007-11-01 13:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-01 12:49 <DIR> d-------- C:\Program Files\Orca
2007-11-01 10:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-01 10:54 <DIR> d-------- C:\Documents and Settings\Andy\Contacts
2007-11-01 10:43 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-01 10:00 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-11-01 09:51 <DIR> d-------- C:\Program Files\CleanMyPC
2007-11-01 09:30 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-31 20:33 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-31 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-10-31 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-10-31 17:50 <DIR> d-------- C:\Program Files\MSBuild
2007-10-31 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-31 17:48 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-31 17:47 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-31 17:44 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-31 17:44 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-31 17:41 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-10-31 17:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-31 17:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-31 17:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-31 16:58 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-31 16:58 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-31 16:58 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-31 16:37 <DIR> d-------- C:\WINDOWS\system32\en
2007-10-31 16:37 <DIR> d-------- C:\WINDOWS\Provisioning
2007-10-31 16:37 <DIR> d-------- C:\WINDOWS\PeerNet
2007-10-31 16:37 <DIR> d-------- C:\WINDOWS\l2schemas
2007-10-31 16:37 <DIR> d-------- C:\WINDOWS\ehome
2007-10-31 15:50 128,768 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2007-10-31 15:50 128,768 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-31 15:50 69,120 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2007-10-31 15:50 23,040 --a------ C:\WINDOWS\system32\fltMc.exe
2007-10-31 15:50 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-31 15:50 16,896 --a------ C:\WINDOWS\system32\fltlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 13:59 6,620 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-03 13:59 30,692 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-31 18:53 4,300 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-10-30 13:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-30 12:06 --------- d-----w C:\Documents and Settings\Andy\Application Data\.BitTornado
2007-10-30 11:43 --------- d-----w C:\Documents and Settings\Andy\Application Data\Telefónica Móviles
2007-10-30 11:42 --------- d-----w C:\Program Files\Movistar
2007-10-30 11:34 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-06-13 11:26:03 1,481,428 --sh--r C:\WINDOWS\system32\MineSweep.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6E59F48-7BF8-4BEE-B906-273526C25DA4}]
2007-11-01 11:58 286720 --a------ C:\WINDOWS\advrepvto.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-11 02:56 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 04:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 08:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 10:22 C:\WINDOWS\SkyTel.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Server Applacations"=MineSweep.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Intec Service Drivers"=C:\WINDOWS\System32\wing32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Server Applacations]
MineSweep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys
R1 tidnet;TID NDIS Protocol Driver;C:\WINDOWS\system32\DRIVERS\tidnet.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ewdcsc.sys
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 AR2425;AzureWave AR5006 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\aw5006.sys
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys
S3 PciCon;PciCon;\??\D:\PciCon.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 14:03:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 15:03:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 15:04:44 - machine was rebooted
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:46, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Movistar\Escritorio movistar\EMMSN.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\My Folder\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunServices: [Microsoft Server Applacations] MineSweep.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD770D-871D-497B-B4BC-AE8671448551}: NameServer = 194.179.1.100 194.179.1.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6265 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 09:52 AM

* Run HijackThis.
* Click on Open the Misc Tools section.
* Click Delete a file on reboot.
* Find and select this file if present:
C:\WINDOWS\advrepvto.dll
* Click Open.
* You will be asked if you want to restart your computer,click Yes.
* Your computer will be restarted.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6E59F48-7BF8-4BEE-B906-273526C25DA4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Server Applacations]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Intec Service Drivers"=-


Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O4 - HKLM\..\RunServices: [Microsoft Server Applacations] MineSweep.exe

Exit Hijackthis.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Restart your pc.
Post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 03:39 PM

Hi Richie,thanks for your time and support,my computer and web browsing seem to be back to 100% now, thanks for that,my only problem i can seee now is that when i open any file in windows media player it seems to take ages to open in the player itself,everything else seems great, could i have some sort of infection affecting my media player?
Heres my new lhighjack log btw thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:25, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Movistar\Escritorio movistar\EMMSN.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Folder\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD770D-871D-497B-B4BC-AE8671448551}: NameServer = 194.179.1.100 194.179.1.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5954 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 03:57 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 05:01 PM

Hi Richie, here are my logs again

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/03/2007 at 10:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3337
Trace Rules Database Version: 1338

Scan type : Complete Scan
Total Scan Time : 00:10:41

Memory items scanned : 437
Memory threats detected : 0
Registry items scanned : 5330
Registry threats detected : 0
File items scanned : 34306
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Andy\Cookies\andy@windowsmedia[2].txt


# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2636 (20071103)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8c0774200c4467479b01b503159d40c1
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-11-03 09:51:08
# local_time=2007-11-03 10:51:08 (+0100, Central Europe Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=109856
# found=1
# scan_time=1270
C:\qoobox\Quarantine\C\WINDOWS\wtopmod.exe.vir a variant of Win32/Adware.Agent.NHQ application (unable to clean - deleted) 00000000000000000000000000000000

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 05:14 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
fix.reg

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

As for your Windows Media Player issue,i suggest you start a new topic here:
Windows XP Home and Professional:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
Posted Image
Posted Image

#9 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 06:11 PM

Hi Richie, everyhing is soooo good now except for my mega slow media player,could it be something to do with down grading from vista to xp pro,when i used to click on mpeg files they were instant but now it takes a few minutes even before buffering files to play, i tried reinstalling media player but its still mega slow

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 03 November 2007 - 06:56 PM

Hi Richie, everyhing is soooo good now except for my mega slow media player,could it be something to do with down grading from vista to xp pro,when i used to click on mpeg files they were instant but now it takes a few minutes even before buffering files to play, i tried reinstalling media player but its still mega slow

I suggest you start a new topic in the forum below giving as much detail as possible regarding your issue.
Windows XP Home and Professional:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
Posted Image
Posted Image

#11 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 04 November 2007 - 03:29 AM

Ok well thanks for all your help in sorting my problems out,its running alot better now! :thumbsup:

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 04 November 2007 - 08:10 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users