Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Remove Antivirus Xp 2008


  • This topic is locked This topic is locked
2 replies to this topic

#1 spydertl182

spydertl182

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 30 June 2008 - 03:55 AM

OK, so I am infected with the Antivirus 2008 XP. The usual nonstop popups, blue background, etc. I have run the Kaspersky and DSS scans. The DSS Scan would "encounter a problem and need to close" when it would get to cleaning temporary files. I had closed out all windows and programs so I don't know why the error message. So I never got a DSS log, but I did go ahead and run a Hijack this log. I have also run the Malwarebytes' Anti-Malware scanner. I am posting logs from each below. I would appreciate help in guiding me to remove the problem. Thanks.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 30, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 30, 2008 03:41:34
Records in database: 897981
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 120144
Threat name: 12
Infected objects: 46
Suspicious objects: 0
Duration of the scan: 02:54:26


File name / Threat name / Threats count
C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcg.exe/C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcg.exe Infected: Trojan-Downloader.Win32.FraudLoad.vadt 1
C:\!Submit\5oqh3obb.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao 1
C:\!Submit\a0e112fc.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Documents and Settings\Carol\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe Infected: not-a-virus:Downloader.Win32.ImLoader.e 1
C:\Documents and Settings\Clay\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcg.exe Infected: Trojan-Downloader.Win32.FraudLoad.vadt 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0075298.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0075299.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0075305.exe Infected: Worm.Win32.Socks.kl 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0075306.exe Infected: Worm.Win32.Socks.kl 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0075308.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0076977.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0076978.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0076981.exe Infected: Worm.Win32.Socks.kl 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0076982.exe Infected: Worm.Win32.Socks.kl 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0076983.dll Infected: Trojan-Downloader.Win32.Small.vem 1
C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe Infected: Worm.Win32.Socks.kl 1
C:\WINDOWS\SYSTEM32\pphcvl9j0ejcg.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1

The selected area was scanned.





Malwarebytes' Anti-Malware 1.19 Log:

Malwarebytes' Anti-Malware 1.19
Database version: 905
Windows 5.1.2600 Service Pack 2

11:45:09 PM 6/29/2008
mbam-log-6-29-2008 (23-45-09).txt

Scan type: Quick Scan
Objects scanned: 50745
Time elapsed: 19 minute(s), 59 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\pphcvl9j0ejcg.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\LocalService\ftp34.dll (Trojan.DNSChanger) -> Unloaded module successfully.
C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcgSkin.Dll (Rogue.AntivirusXP2008) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vccpgdataaccess.pgdataaccessctrl.1 (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\LocalService\ftp34.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcgSkin.Dll (Rogue.AntivirusXP2008) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pphcvl9j0ejcg.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ftp34.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Clay\ftp34.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcvl9j0ejcg.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcvl9j0ejcg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcvl9j0ejcg.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Clay\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Clay\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:49:09, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\AOL\1107667863\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\rhcrl9j0ejcg\rhcrl9j0ejcg.exe
C:\WINDOWS\system32\pphcvl9j0ejcg.exe
C:\Documents and Settings\Clay\Desktop\dss.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Clay\Local Settings\Temporary Internet Files\Content.IE5\NZXIRTK9\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107667863\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0k\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents and Settings\Clay\Application Data\AOL Fanfare\subscribe.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://crsdata.net/CRSDataObject/CRSNInfo.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://ftp.flagshipgis.net/mapguide/mgviewer63/mgaxctrl.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/w...tall/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://68.153.49.2/activex/AxisCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://111.kueblerbuilders.net/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47BA1C40-CA2F-42BE-AE8E-44816210754E}: NameServer = 68.59.176.5
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\Program Files\Aluria Software\ASE\ASEserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10878 bytes

BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 03 July 2008 - 02:28 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
Step 2

Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

Please download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows directory, typically C:\SDFix)

Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

Log in to your usual account.

Once in Safe Mode, do the following:

Open the extracted SDFix folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any trojan services and registry entries that it finds, then prompt you to press any key to reboot; press any key and it will restart the PC.
  • When the PC restarts SDFix will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to clipboard ready for posting back on the forum).
Step 3

Please ensure that your copy of Deckard's System Scanner (dss.exe) is located on your desktop. If needed, you can download it from here > http://www.techsupportforum.com/sectools/Deckard/dss.exe

It's important that it located directly on your desktop, otherwise the following will not work.

Go to Start > Run... and copy/paste the text below into it -

"%userprofile%\desktop\dss.exe" /config

... then press Enter. When prompted, press OK.

The DSS Configuration window will open. Please untick Temp Cleanup and Event Logs, then press Scan!.

When it has finished, Deckard's System Scanner will open two Notepad files: main.txt and extra.txt - please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply, along with the CCleaner Uninstall List (install.txt) and the SDFix log (C:\SDFix\Report.txt).

Edited by Simon V., 03 July 2008 - 02:36 PM.

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 11 July 2008 - 10:23 AM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users