Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 elvy

elvy

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 28 April 2008 - 07:27 PM

iexplore is infected and I don't know how to get rid of it. Here is my log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:12 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\Program Files\BitLord\BitLord.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run=
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [CAMP SHIM EXIT HECK] C:\Documents and Settings\All Users\Application Data\That Face Camp Shim\Axis Part.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Mpeg Glue] C:\DOCUME~1\Owner\APPLIC~1\EXTRAI~1\rdr coal manager.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5236 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 29 April 2008 - 07:17 AM

Hi,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 May 2008 - 01:21 AM

Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AGEIA PhysX v7.06.25
AIM 6
Angelina Jolie Screen Saver
ANIO Service
ANIWZCS2 Service
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
AVG Anti-Spyware 7.5
AVIVO
BitLord 1.1
BlackSite: Area 51
C-Media PCI Audio
C-Media WDM Audio Driver
Cucusoft Ultimate DVD + Video Converter Suite 7.13.7.7
CursorXP
DivoCodec version 1.0.0.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Dynex G Wireless Desktop Card Setup
evov3.zip
Fury
GameSpy Arcade
Guild Wars
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
InterActual Player
iSofter DVD Ripper Platinum 1.0.2006.912
Java™ 6 Update 4
LAN-Express AS IEEE 802.11 Wireless LAN
LimeWire 4.16.3
LogonStudio
Microsoft .NET Framework 2.0
Microsoft DirectX Transform optional components
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.14)
Painkiller
PCI Audio Driver
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RelevantKnowledge
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
Winamp
Windows Driver Package - Intel net (02/14/2007 9.1.1.13)
Windows Driver Package - Intel net (02/25/2007 11.1.0.86)
Windows Driver Package - Intel net (02/25/2007 11.1.0.86)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Service Pack 2
Yahoo! Install Manager
Yahoo! Toolbar

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 01 May 2008 - 08:10 AM

Hi,

BitLord 1.1 is the cause of the popups you are getting.
There are some other programs installed here as well to remove..

So,

Go to start > controlpanel > software > add/remove programs and look if you have one or more of next programs installed and uninstall them:

Bitlord 1.1
RelevantKnowledge
Viewpoint Media Player


This will uninstall the malware application.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.
In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.


Then reboot. Important!

After reboot,

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new Hijackthislog.

Edited by miekiemoes, 01 May 2008 - 08:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 02 May 2008 - 10:52 PM

--------------------------------------------------------
Backups created in C:\deljob

ACA3752B9184E73B.job
--------------------------------------------------------
Files in Windows Tasks folder

--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 1CC6-648E

Directory of C:\Documents and Settings\Owner\Application Data

05/02/2008 08:51 PM <DIR> .
05/02/2008 08:51 PM <DIR> ..
10/08/2007 08:22 PM <DIR> acccore
04/15/2008 01:39 AM <DIR> Adobe
04/01/2008 11:05 PM <DIR> APPLEC~1 Apple Computer
11/07/2007 07:59 PM <DIR> ATI
10/08/2007 09:08 PM <DIR> DivX
04/19/2008 09:25 AM <DIR> dvdcss
05/02/2008 01:37 AM <DIR> EXTRAI~1 extrainfohide
11/07/2007 08:36 PM <DIR> IDENTI~1 Identities
10/08/2007 07:08 PM <DIR> INSTAL~1 InstallShield
11/07/2007 10:02 PM <DIR> INTERT~1 InterTrust
03/29/2008 03:35 PM <DIR> JASCSO~1 Jasc Software Inc
04/30/2008 11:29 PM <DIR> LimeWire
10/08/2007 08:20 PM <DIR> MACROM~1 Macromedia
03/27/2008 05:01 PM <DIR> MICROS~1 Microsoft
01/11/2008 12:33 AM <DIR> MOVENE~1 Move Networks
10/08/2007 08:07 PM <DIR> Mozilla
12/31/2007 03:04 AM <DIR> Real
11/11/2007 03:09 AM <DIR> SecuROM
01/24/2008 02:20 AM <DIR> Sun
10/08/2007 09:12 PM <DIR> TRITON~1 Triton Interactive
10/09/2007 04:05 AM <DIR> vlc
10/18/2007 10:12 PM <DIR> Winamp
10/08/2007 08:39 PM <DIR> WinRAR
12/14/2007 05:32 AM <DIR> Yahoo!
0 File(s) 0 bytes
26 Dir(s) 22,648,410,112 bytes free
Volume in drive C has no label.
Volume Serial Number is 1CC6-648E

Directory of C:\Documents and Settings\All Users\Application Data

04/15/2008 01:40 AM <DIR> .
04/15/2008 01:40 AM <DIR> ..
10/08/2007 08:21 PM <DIR> AOL
10/08/2007 08:22 PM <DIR> AOLDOW~1 AOL Downloads
10/08/2007 08:21 PM <DIR> AOLOCP~1 AOL OCP
10/25/2007 06:15 PM <DIR> Apple
04/15/2008 01:40 AM <DIR> APPLEC~2 Apple Computer
04/15/2008 01:40 AM <DIR> APPLEC~1 Apple Computer(2)
11/07/2007 07:59 PM <DIR> ATI
04/13/2008 01:23 PM <DIR> Google
10/16/2007 12:54 AM <DIR> Grisoft
11/22/2007 06:31 PM <DIR> MICROS~1 Microsoft
05/02/2008 01:37 AM <DIR> THATFA~1 That Face Camp Shim
10/08/2007 08:21 PM <DIR> VIEWPO~1 Viewpoint
12/14/2007 05:32 AM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
15 Dir(s) 22,648,410,112 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
Administrator
All Users
Owner
--------------------------------------------------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 03 May 2008 - 12:16 AM

Hi,

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Navigate to and delete the following folders:

C:\Documents and Settings\Owner\Application Data\extrainfohide
C:\Program Files\extrainfohide
C:\Documents and Settings\All Users\Application Data\That Face Camp Shim

Reboot.

After reboot, rescan with HijackThis and post a new HijackThislog + a new log from deljob.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 03 May 2008 - 01:45 AM

I deleted the first folder but I could not find the space camp shim folder.
Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:53 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run=
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CAMP SHIM EXIT HECK] C:\Documents and Settings\All Users\Application Data\That Face Camp Shim\wma stop.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Mpeg Glue] C:\DOCUME~1\Owner\APPLIC~1\EXTRAI~1\rdr coal manager.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4188 bytes





--------------------------------------------------------
Backups created in C:\deljob

ACA3752B9184E73B.job
--------------------------------------------------------
Files in Windows Tasks folder

--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 1CC6-648E

Directory of C:\Documents and Settings\Owner\Application Data

05/02/2008 08:54 PM <DIR> .
05/02/2008 08:54 PM <DIR> ..
10/08/2007 08:22 PM <DIR> acccore
04/15/2008 01:39 AM <DIR> Adobe
04/01/2008 11:05 PM <DIR> APPLEC~1 Apple Computer
11/07/2007 07:59 PM <DIR> ATI
10/08/2007 09:08 PM <DIR> DivX
04/19/2008 09:25 AM <DIR> dvdcss
11/07/2007 08:36 PM <DIR> IDENTI~1 Identities
10/08/2007 07:08 PM <DIR> INSTAL~1 InstallShield
11/07/2007 10:02 PM <DIR> INTERT~1 InterTrust
03/29/2008 03:35 PM <DIR> JASCSO~1 Jasc Software Inc
04/30/2008 11:29 PM <DIR> LimeWire
10/08/2007 08:20 PM <DIR> MACROM~1 Macromedia
03/27/2008 05:01 PM <DIR> MICROS~1 Microsoft
01/11/2008 12:33 AM <DIR> MOVENE~1 Move Networks
10/08/2007 08:07 PM <DIR> Mozilla
12/31/2007 03:04 AM <DIR> Real
11/11/2007 03:09 AM <DIR> SecuROM
01/24/2008 02:20 AM <DIR> Sun
10/08/2007 09:12 PM <DIR> TRITON~1 Triton Interactive
10/09/2007 04:05 AM <DIR> vlc
10/18/2007 10:12 PM <DIR> Winamp
10/08/2007 08:39 PM <DIR> WinRAR
12/14/2007 05:32 AM <DIR> Yahoo!
0 File(s) 0 bytes
25 Dir(s) 22,649,032,704 bytes free
Volume in drive C has no label.
Volume Serial Number is 1CC6-648E

Directory of C:\Documents and Settings\All Users\Application Data

04/15/2008 01:40 AM <DIR> .
04/15/2008 01:40 AM <DIR> ..
10/08/2007 08:21 PM <DIR> AOL
10/08/2007 08:22 PM <DIR> AOLDOW~1 AOL Downloads
10/08/2007 08:21 PM <DIR> AOLOCP~1 AOL OCP
10/25/2007 06:15 PM <DIR> Apple
04/15/2008 01:40 AM <DIR> APPLEC~2 Apple Computer
04/15/2008 01:40 AM <DIR> APPLEC~1 Apple Computer(2)
11/07/2007 07:59 PM <DIR> ATI
04/13/2008 01:23 PM <DIR> Google
10/16/2007 12:54 AM <DIR> Grisoft
11/22/2007 06:31 PM <DIR> MICROS~1 Microsoft
05/02/2008 01:37 AM <DIR> THATFA~1 That Face Camp Shim
05/02/2008 08:51 PM <DIR> VIEWPO~1 Viewpoint
12/14/2007 05:32 AM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
15 Dir(s) 22,649,032,704 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
Administrator
All Users
Owner
--------------------------------------------------------



And now that I deleted that folder my computer has no internet.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 03 May 2008 - 06:29 AM

Hi,

Did you uninstall RelevantKnowledge as I already asked you previously, because I see it's still active and running.

This folder: C:\Documents and Settings\All Users\Application Data\That Face Camp Shim is present though. It's under the All Users profile. Most probably you have been looking under the Owner profile, so please look again.

Also, delete the C:\deljob folder;

Then reboot and post a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 May 2008 - 12:20 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:59 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Mpeg Glue] C:\DOCUME~1\Owner\APPLIC~1\EXTRAI~1\rdr coal manager.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3949 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 06 May 2008 - 12:25 AM

Hi,

Step one...

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

Reboot afterwards!!!! Important!

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Mpeg Glue] C:\DOCUME~1\Owner\APPLIC~1\EXTRAI~1\rdr coal manager.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 07 May 2008 - 02:19 AM

Avira AntiVir Personal
Report file date: Tuesday, May 06, 2008 21:05

Scanning for 1165085 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: BLAH

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 18:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 17:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 17:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 17:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 22:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 04:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 17:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/8/2008 00:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 4/8/2008 00:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 4/8/2008 00:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 20:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/8/2008 00:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/8/2008 00:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 4/8/2008 00:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/8/2008 00:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/8/2008 00:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 18:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 02:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 19:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 02:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 17:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 02:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 23:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 21:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, May 06, 2008 21:05

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'DynexWCUI.exe' - '1' Module(s) have been scanned
Scan process 'CursorXP.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'mixer.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'wltrysvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '21' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\DivoCodec\minime.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen
[NOTE] The file was moved to '488f351f.qua'!
C:\Program Files\DivoCodec\WakeService.exe
[DETECTION] Is the Trojan horse TR/Obfuscated.IB
[NOTE] The file was moved to '488c3517.qua'!
C:\Program Files\DivoCodec\WakeSplitter.ax
[DETECTION] Is the Trojan horse TR/Obfuscated.IB.1
[NOTE] The file was moved to '488c3518.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP165\A0068526.exe
[DETECTION] Is the Trojan horse TR/Spy.Agent.G
[NOTE] The file was moved to '485135b5.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP166\A0068832.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.U
[NOTE] The file was moved to '485135b9.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP166\A0068834.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen
[NOTE] The file was moved to '485135ba.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP180\A0084407.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen
[NOTE] The file was moved to '485135e4.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP180\A0084466.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.U
[NOTE] The file was moved to '485135e5.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086570.exe
[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen
[NOTE] The file was moved to '485135ea.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086571.exe
[DETECTION] Is the Trojan horse TR/Obfuscated.IB
[NOTE] The file was moved to '49363dbb.qua'!
C:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086572.ax
[DETECTION] Is the Trojan horse TR/Obfuscated.IB.1
[NOTE] The file was moved to '485135ec.qua'!
Begin scan in 'E:\' <New Volume>
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\11\26d5200b-5a095149
[0] Archive type: ZIP
--> GetAccess.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ClassLoader.D
--> InsecureClassLoader.class
[DETECTION] Is the Trojan horse TR/Forten.Java.2.B
--> Dummy.class
[DETECTION] Is the Trojan horse TR/Forten.Java.2
--> Installer.class
[DETECTION] Is the Trojan horse TR/Dldr.OpenConn.F
[NOTE] The file was moved to '48853722.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-31f24d5b
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B.1
[NOTE] The file was moved to '4855371d.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\36\38a7324-2308f992
[0] Archive type: ZIP
--> BlackBox.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.2
--> VerifierBug.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.4
--> Dummy.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.3
--> Beyond.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.1
[NOTE] The file was moved to '48823726.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2707e154
[0] Archive type: ZIP
--> HiPointInstallShieldRT.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
[NOTE] The file was moved to '48533752.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\56\4380ebb8-7a0de462
[0] Archive type: ZIP
--> HiPointInstallShieldRT.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
[NOTE] The file was moved to '48593723.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7308621b-7bf403aa.zip
[DETECTION] Contains detection pattern of the Java virus JAVA/ClassLoader.D
[NOTE] The file was moved to '48823760.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-35d7c404-45fb42d9.zip
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.2
[NOTE] The file was moved to '48963764.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-2ba9a144.zip
[0] Archive type: ZIP
--> HiPointInstallShieldRT.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
[NOTE] The file was moved to '48753747.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-78522089-67f72e21.zip
[0] Archive type: ZIP
--> HiPointInstallShieldRT.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
[NOTE] The file was moved to '491b0af8.qua'!
E:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-44588de3.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B.1
[NOTE] The file was moved to '488e376c.qua'!
E:\Documents and Settings\admin\Desktop\setup.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.58
[NOTE] The file was moved to '48953792.qua'!
E:\Documents and Settings\admin\Desktop\D2BF\pvpgn-1.8.0rc1\D2GS\D2GSSVC.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '4868378a.qua'!
E:\Documents and Settings\admin\Desktop\D2BF\pvpgn-1.8.0rc1\D2GS\D2GS-110\D2GSSVC.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '4868378e.qua'!
E:\Documents and Settings\admin\My Documents\pvpgn-1.8.zip
[0] Archive type: ZIP
--> pvpgn-1.8.0rc1/D2GS/D2GS-110/D2GSSVC.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '48913ccc.qua'!
E:\Documents and Settings\admin\My Documents\download\greemneo17\pvpgn-1.8.zip
[0] Archive type: ZIP
--> pvpgn-1.8.0rc1/D2GS/D2GS-110/D2GSSVC.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '48913cd8.qua'!
E:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
[DETECTION] Contains detection pattern of a probably damaged sample CC/Agent.CZ
[NOTE] The file was moved to '48943cfe.qua'!
E:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086573.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.58
[NOTE] The file was moved to '48514590.qua'!
E:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086574.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48514591.qua'!
E:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086575.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '49364dc2.qua'!
E:\System Volume Information\_restore{32BBEBAD-2956-48D6-960D-8021BA2E125D}\RP184\A0086576.exe
[DETECTION] Contains detection pattern of a probably damaged sample CC/Agent.CZ
[NOTE] The file was moved to '48514593.qua'!


End of the scan: Tuesday, May 06, 2008 23:57
Used time: 2:51:22 min

The scan has been done completely.

11332 Scanning directories
331538 Files were scanned
27 viruses and/or unwanted programs were found
10 Files were classified as suspicious:
0 files were deleted
0 files were repaired
31 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
331511 Files not concerned
2701 Archives were scanned
1 Warnings
31 Notes





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:07 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3984 bytes

Edited by elvy, 07 May 2008 - 02:20 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 07 May 2008 - 02:56 AM

Hi,

Please navigate to and delete this folder:

C:\Program Files\DivoCodec


Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 elvy

elvy
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 07 May 2008 - 04:29 PM

Thank you for your time and effort, I just repaired my internet connection and the problem is fixed.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 07 May 2008 - 04:39 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 11 May 2008 - 01:40 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users