Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Logs - Kunoichi


  • Please log in to reply
6 replies to this topic

#1 kunoichi

kunoichi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 November 2005 - 10:00 PM

Hi,

I've been having problems with popups and slow system performance which Spybot S&D and Ad-Aware haven't been able to cure. This computer is shared by the rest of my family, so really, who knows what could be on it.


Logfile of HijackThis v1.99.1
Scan saved at 1:04:28 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Peter\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "c:\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Card Utility 2.0.lnk = C:\Program Files\Wireless LAN Card Utility 2.0\Utility.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmir...etwasherpro.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62F0E398-A8B2-41DC-80C5-2732AC3AE1BE}: NameServer = 61.9.128.14,61.9.192.15
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:24 PM

Posted 10 November 2005 - 04:43 AM

Welcome kunoichi to Bleeping Computer.

Please remove SurfAccuracy and Internet Washer:
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "c:\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"

O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmir...etwasherpro.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Please deleted this file:
c:\Temp\DELDIR0.EXE

***

Reboot the computer.

***


Run the Free use Panda Active Scan.
  • Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
  • A new window will open
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on 1click active scan (top right hand corner) to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log by using Add Reply.


Posted Image
Life is what happens while you're making other plans

#3 kunoichi

kunoichi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 16 November 2005 - 05:04 AM

Thanks for your help!


Panda Active Scan log:


Incident Status Location

Adware:Adware/SaveNow No disinfected C:\Program Files\BearShare\Installer\saveinstwm.exe
Adware:Adware/KeenValue No disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Spyware:Spyware/Altnet No disinfected C:\Temp\asmfiles.cab
Spyware:Spyware/Altnet No disinfected C:\Temp\asmfiles.cab[asm.exe]
Spyware:Spyware/Altnet No disinfected C:\Temp\asmfiles.cab[asmps.dll]
Adware:adware/gator No disinfected C:\Temp\bundle.inf
Adware:adware/sahagent No disinfected C:\Temp\cdt1004.sah
Spyware:Spyware/Cydoor No disinfected C:\Temp\cd_clint.dll
Spyware:spyware/dyfuca No disinfected C:\Temp\cfout.txt
Adware:Adware/nCase No disinfected C:\Temp\Del51.tmp
Adware:Adware/SAHAgent No disinfected C:\Temp\JB7P4BH4.dll
Spyware:Spyware/Dyfuca No disinfected C:\Temp\optimize.exe
Adware:Adware/P2PNetworking No disinfected C:\Temp\p2psetup.exe
Adware:Adware/nCase No disinfected C:\Temp\resC7.tmp
Adware:Adware/SAHAgent No disinfected C:\Temp\sahagent-cdt1004.exe
Adware:Adware/SaveNow No disinfected C:\Temp\saveinstwm.exe
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[lkir8l2gm_.dll]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[abasa5jrp_.exe]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[u6f6uftuc_.exe]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[hochkaod3_.exe]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[u6f6uftuc_.ini]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[hochkaod3_.ini]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[setup4002b.ini]
Adware:Adware/SAHAgent No disinfected C:\Temp\setup4002b.cab[webinstaller.dll]
Adware:Adware/SurfAccuracy No disinfected C:\Temp\uninstall.exe
Spyware:Spyware/Altnet No disinfected C:\Temp\__unin__.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:adware/wupd No disinfected C:\WINDOWS\system32\ide21201.vxd
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\adm.exe
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\adm25.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\adm4.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\admdata.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\admdloader.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\admfdi.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\admprog.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\dmfiles.cab
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\dmfiles.cab[AltnetUninstall.exe]
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\dmfiles.cab[asmend.exe]
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\pmexe.cab
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\pmexe.cab[Points Manager.exe]
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\pmfiles.cab
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\pmfiles.cab[sysdetect.dll]
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Altnet\Setup.exe


Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:45 PM, on 16/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Peter\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Card Utility 2.0.lnk = C:\Program Files\Wireless LAN Card Utility 2.0\Utility.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62F0E398-A8B2-41DC-80C5-2732AC3AE1BE}: NameServer = 61.9.128.14,61.9.192.15
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:24 PM

Posted 17 November 2005 - 05:18 AM

Let's remove the temporary files:

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post



Posted Image
Life is what happens while you're making other plans

#5 kunoichi

kunoichi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 22 November 2005 - 01:36 AM

Thanks :thumbsup: Here's the list:

ACDSee
Ad-aware 6 Personal
Adobe Acrobat 4.0
AVG Free Edition
BearShare
BigPond Toolbar
Canon S820
CleanUp!
ContextPlus
DiMAGE Viewer
Easy Access Button Support
Express Rip Uninstall
General USB Card Reader
Greetings Workshop Deluxe
HijackThis 1.99.1
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Internet Optimizer
IomegaWare
iriverter 0.14
JLIP VideoCapture3.1
JLIP VideoProducer2.0
Macromedia Flash Player 8
Macromedia Shockwave Player
Mega Solitaire
Microsoft Data Access Components KB870669
Microsoft Encarta 99 Encyclopedia
Microsoft Global IME for Office XP (Japanese)
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Small Business
Minolta DiMAGE remote camera driver
mIRC
MSN Messenger 7.0
Panda ActiveScan
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Shockwave
Software Setup
SoundMAX
Spybot - Search & Destroy 1.2
SpywareBlaster v3.4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.2
Webster's Encyclopedia of Australia 2000
Webster's World Encyclopedia 2000
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Wireless LAN Card Utility 2.0
WordWeb

Edited by kunoichi, 22 November 2005 - 01:36 AM.


#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:24 PM

Posted 24 November 2005 - 02:03 PM

Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\ide21201.vxd


For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please remove:
Internet Optimizer
Spybot - Search & Destroy 1.2 => current version is 1.4

Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Reboot the computer.

***

Download the current version of Spybot (1.4).
Make sure it's up to date and let it scan. Remove items found in red.


Please reboot again and rerun Panda to see what's left.


Posted Image
Life is what happens while you're making other plans

#7 kunoichi

kunoichi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 05 February 2006 - 01:00 AM

Followed all instructions, Panda found 15 pieces of Spyware and 1 'Joke'.


Incident Status Location

Adware:Adware/SAHAgent Not disinfected C:\!KillBox\setup4002b.ini
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Peter\Cookies\peter@ad.sensismediasmart.com[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Peter\Cookies\peter@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Peter\Cookies\peter@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Peter\Cookies\peter@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Peter\Cookies\peter@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Peter\Cookies\peter@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Peter\Cookies\peter@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Peter\Cookies\peter@go[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Peter\Cookies\peter@stats1.reliablestats[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Peter\Cookies\peter@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Peter\Cookies\peter@yadro[1].txt
Virus:Exploit/Metafile Disinfected C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\WLYB012R\xxx[1].wmf
Joke:Joke/Stress Not disinfected C:\Documents and Settings\Peter\My Documents\Jessicas Documents\Transfer Disks\Transfer Disk 2\Games\stressreducers.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\BearShare\Installer\saveinstwm.exe
Adware:Adware/KeenValue Not disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users