Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Several Adwares


  • Please log in to reply
88 replies to this topic

#1 Flora

Flora

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 12 November 2005 - 07:21 PM

Hi, I have paid approx $60 for Xoft and Spyware Detector today as I have been desperate to remove the adwares that are ruining my life. Spyware Detector seemed to have removed some of them but most of them, including the most annoying “Registry Cleaner” still exists. I’m having to type this desperate plead for help in Word as the adwares take-over approx every three minutes and all previous work is lost. Hope you could help. Your time and assistance is much appreciated!


Logfile of HijackThis v1.99.1
Scan saved at 18:20:42, on 19/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SpywareDetectorSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\windat.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\WINDOWS\System32\google.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSCFG16.EXE
C:\windows\adtech2005.exe
C:\WINDOWS\System32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\System32\scchostc.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktomakeasearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [google] google.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehfe32.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\System32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\System32\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [23 etadpU tfosorciM] wininit32.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [google] google.exe
O4 - HKLM\..\RunServices: [23 etadpU tfosorciM] wininit32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128378889312
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://theushers.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD30C97E-9B20-4F69-949F-049368C0EB7F}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\azam07f1e.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe
O23 - Service: SpyDetectSVC - Max Secure Technologies - C:\WINDOWS\System32\SpywareDetectorSVC.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 12 November 2005 - 09:55 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\windows\timessquare.exe
C:\windows\adtech2005.exe
C:\WINDOWS\System32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\WINDOWS\System32\LiveUpdateSD.exe
c:\windows\system32\wininit32.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#3 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 12 November 2005 - 10:24 PM

Thanks for taking the time to help. The instructions were very thorough (I am no computer expert!) and I have now successfully submitted the file. I look forward to your response. Thanks again!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 12 November 2005 - 11:33 PM

Just need to get a few more samples and then we will start cleaning up your computer :thumbsup:


Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\windat.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\System32\scchostc.exe
c:\windows\wininit32.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

When that is done, lets get started removing the elite toolbar.

Please download LQfix.exe from one of the following locations:

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active internetconnection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
Then do a scan with HJT and post a new log by using Add Reply

#5 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 13 November 2005 - 12:35 AM

Thanks again.

Not sure whether I've done the first part right. The last part of the message reads:

LQfirst.bfu and /or LQsecond.bfu NOT PRESENT! Please post this at the forum
Press any key to continue...

I then pressed a key; window closed then I re-started the computer manually and scanned with HJT:

Logfile of HijackThis v1.99.1
Scan saved at 23:37:41, on 19/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SpywareDetectorSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\windat.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\WINDOWS\System32\google.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [google] google.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehfe32.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\System32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\System32\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [23 etadpU tfosorciM] wininit32.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Alive SYstem] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [google] google.exe
O4 - HKLM\..\RunServices: [23 etadpU tfosorciM] wininit32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128378889312
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37390.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://theushers.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD30C97E-9B20-4F69-949F-049368C0EB7F}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\o2nslc571f.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe
O23 - Service: SpyDetectSVC - Max Secure Technologies - C:\WINDOWS\System32\SpywareDetectorSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 13 November 2005 - 12:55 AM

Download the scripts manually from here:

http://users.telenet.be/bluepatchy/miekiem...ols/LQfirst.bfu
http://users.telenet.be/bluepatchy/miekiem...ls/LQsecond.bfu

Download them to the folder: c:\windows\LQfix

Then double-click on the ClickThis.bat file in the c:\windows\LQfix-folder

Then do a scan with HJT and post a new log by using Add Reply

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 13 November 2005 - 01:06 AM

Sorry to keep doing this to you, but I need some more files :thumbsup:

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\spdauth.exe
C:\WINDOWS\spdcheck.exe
C:\WINDOWS\MSAV32.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#8 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 13 November 2005 - 10:36 AM

Hi. Sorry to sound stupid but I don't know how to download the files manually. I have tried clicking on the links but the pages are not available. I have sent another cab file. Your help is much appreciated!

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 13 November 2005 - 10:07 PM

I apologize...you can download them these links:

http://users.telenet.be/bluepatchy/miekiem...ols/LQfirst.bfu
http://users.telenet.be/bluepatchy/miekiem...ls/LQsecond.bfu

#10 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 14 November 2005 - 03:22 PM

Hi. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 12:33:35, on 20/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\SpywareDetectorSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\windat.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
D:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSCFG16.EXE
C:\windows\adtech2005.exe
C:\WINDOWS\System32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\WINDOWS\System32\scchost.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\vtstt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehfe32.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\System32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\System32\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [23 etadpU tfosorciM] wininit32.exe
O4 - HKLM\..\Run: [Alive SYstem] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [google] google.exe
O4 - HKLM\..\RunServices: [23 etadpU tfosorciM] wininit32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128378889312
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37390.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://theushers.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD30C97E-9B20-4F69-949F-049368C0EB7F}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ktr0l79m1.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\SYSTEM32\vtstt.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe
O23 - Service: SpyDetectSVC - Max Secure Technologies - C:\WINDOWS\System32\SpywareDetectorSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 14 November 2005 - 11:40 PM

I would uninstall Spyware Detector from add/remove programs. There are better programs, in my opinion, that I will tell you about later.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\vtstt.dll
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehfe32.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [23 etadpU tfosorciM] wininit32.exe
O4 - HKLM\..\Run: [Alive SYstem] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [google] google.exe
O4 - HKLM\..\RunServices: [23 etadpU tfosorciM] wininit32.exe
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ktr0l79m1.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\SYSTEM32\vtstt.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe
O23 - Service: SpyDetectSVC - Max Secure Technologies - C:\WINDOWS\System32\SpywareDetectorSVC.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\vtstt.dll
C:\WINDOWS\SYSCFG16.EXE
C:\windows\system32\elitehfe32.exe
C:\windows\timessquare.exe
C:\windows\adtech2005.exe
c:\windows\wininit32.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\etb\
c:\windows\system32\google.exe
C:\WINDOWS\system32\ktr0l79m1.dll
C:\WINDOWS\SYSTEM32\vtstt.dll
C:\WINDOWS\MSAV32.exe
C:\WINDOWS\spdauth.exe
C:\WINDOWS\spdcheck.exe
C:\WINDOWS\windat.exe

Reboot your computer to go back to normal mode and post a new log.

#12 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 15 November 2005 - 09:11 PM

Thanks. I have now uninstalled Spyware Detector (wish I found you earlier before paying for it through desperation!). I look forward to your recommendations on softwares to help protect my PC. Adwares are taking over as I type this, but it appears to be less frequent. I have followed your instruction and here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 02:05:32, on 16/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clicktomakeasearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\awtss.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128378889312
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37390.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://theushers.multiply.com/photos/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\System32\awtss.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\gp2ml3f11.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe (file missing)

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 16 November 2005 - 10:33 AM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clicktomakeasearch.com/sp2.php
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\awtss.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: awtss - C:\WINDOWS\System32\awtss.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\gp2ml3f11.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9hbmc\command.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Anti Virus (MSAV32) - Unknown owner - C:\WINDOWS\MSAV32.exe (file missing)
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)
O23 - Service: wincheck (spdcheck) - Unknown owner - C:\WINDOWS\spdcheck.exe (file missing)
O23 - Service: Windows Archiver (winarc) - Unknown owner - C:\WINDOWS\windat.exe (file missing)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\system32\gp2ml3f11.dll
C:\WINDOWS\SG9hbmc\command.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\MSAV32.exe
C:\WINDOWS\spdauth.exe
C:\WINDOWS\spdcheck.exe
C:\WINDOWS\windat.exe

Reboot your computer to go back to normal mode.

Now,

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on winarc and delete it. Then delete the following other services:

spdcheck
spdauth
MSAV32
lsass
cmdService

Finally,

Download this tool and save it to your desktop. Then double click the tool and follow the instructions.

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

When its done, reboot and post the log that is created on your desktop called VBG.TXT along with a new hijackthis log.

#14 Flora

Flora
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 16 November 2005 - 03:21 PM

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 14:54:38, on 16/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\awtss.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128378889312
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37390.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://theushers.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD30C97E-9B20-4F69-949F-049368C0EB7F}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\System32\awtss.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\dn8u01l9e.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe







[11/16/2005, 13:34:59] - Starting Process...
[11/16/2005, 13:34:59] - Looking for Browser Helper Object [MSEvents Object]
[11/16/2005, 13:34:59] - 1: {B313D637-F405-4052-AC37-E2119AB3C8F8} - MSEvents Object
[11/16/2005, 13:34:59] - Found MSEvents Object!
[11/16/2005, 13:34:59] - File location: C:\WINDOWS\System32\awtss.dll
[11/16/2005, 13:34:59] - Attempting to kill C:\WINDOWS\System32\awtss.dll
[11/16/2005, 13:34:59] - Terminating Process: RUNDLL32.EXE
[11/16/2005, 13:34:59] - Terminating Process: IEXPLORE.EXE
[11/16/2005, 13:34:59] - Disabling Automatic Shell Restart
[11/16/2005, 13:35:00] - Terminating Process: EXPLORER.EXE
[11/16/2005, 13:35:00] - Suspending the NT Session Manager System Service
[11/16/2005, 13:35:00] - Terminating Windows NT Logon/Logoff Manager
[11/16/2005, 13:35:00] - Re-enabling Automatic Shell Restart
[11/16/2005, 13:35:00] - Renaming C:\WINDOWS\System32\awtss.dll -> C:\WINDOWS\System32\awtss.dll.vir
[11/16/2005, 13:35:00] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/16/2005, 13:35:00] - Removing Registry references to {B313D637-F405-4052-AC37-E2119AB3C8F8}
[11/16/2005, 13:35:00] - Adding Internet Explorer Protection (Kill ActiveX) for {B313D637-F405-4052-AC37-E2119AB3C8F8}
[11/16/2005, 13:35:00] - Removing Winlogon Notify Entry: awtss
[11/16/2005, 13:35:00] - BHO list has been changed! Starting over...
[11/16/2005, 13:35:00] - Finished searching for [MSEvents Object]
[11/16/2005, 13:35:00] - Finishing up...
[11/16/2005, 13:35:00] - Enabling Automatic Reboot on STOP Error.
[11/16/2005, 13:35:00] - Attempting to Restart via STOP error (Blue Screen!)

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 16 November 2005 - 04:41 PM

We are almost there. Shutdown IE and run VirtumundoBeGone.exe again and then reboot and post its log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users