Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Some Virus..


  • This topic is locked This topic is locked
18 replies to this topic

#1 Forg0t

Forg0t

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 11 December 2005 - 12:55 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:43:59 PM, on 12/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Edwin\LOCALS~1\Temp\SERVICES.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Edwin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 255.255.255.255 www.symantec.com
O1 - Hosts: 255.255.255.255 securityresponse.symantec.com
O1 - Hosts: 255.255.255.255 symantec.com
O1 - Hosts: 255.255.255.255 mcafee.com
O1 - Hosts: 255.255.255.255 sophos.com
O1 - Hosts: 255.255.255.255 liveupdate.symantecliveupdate.com
O1 - Hosts: 255.255.255.255 viruslist.com
O1 - Hosts: 255.255.255.255 f-secure.com
O1 - Hosts: 255.255.255.255 kaspersky.com
O1 - Hosts: 255.255.255.255 kaspersky-labs.com
O1 - Hosts: 255.255.255.255 www.avp.com
O1 - Hosts: 255.255.255.255 networkassociates.com
O1 - Hosts: 255.255.255.255 ca.com
O1 - Hosts: 255.255.255.255 mast.mcafee.com
O1 - Hosts: 255.255.255.255 my-etrust.com
O1 - Hosts: 255.255.255.255 download.mcafee.com
O1 - Hosts: 255.255.255.255 dispatch.mcafee.com
O1 - Hosts: 255.255.255.255 secure.nai.com
O1 - Hosts: 255.255.255.255 nai.com
O1 - Hosts: 255.255.255.255 vil.nai.com
O1 - Hosts: 255.255.255.255 update.symantec.com
O1 - Hosts: 255.255.255.255 updates.symantec.com
O1 - Hosts: 255.255.255.255 us.mcafee.com
O1 - Hosts: 255.255.255.255 liveupdate.symantec.com
O1 - Hosts: 255.255.255.255 customer.symantec.com
O1 - Hosts: 255.255.255.255 rads.mcafee.com
O1 - Hosts: 255.255.255.255 grisoft.com
O1 - Hosts: 255.255.255.255 microsoft.com
O1 - Hosts: 255.255.255.255 norton-anti-virus-ic.com
O1 - Hosts: 255.255.255.255 drsolomon.com
O1 - Hosts: 255.255.255.255 europe.f-secure.com
O1 - Hosts: 255.255.255.255 ftp.symantec.com
O1 - Hosts: 255.255.255.255 trend.com
O1 - Hosts: 255.255.255.255 antivirus.com
O1 - Hosts: 255.255.255.255 pspl.com
O1 - Hosts: 255.255.255.255 commandcom.com
O1 - Hosts: 255.255.255.255 avp.ch
O1 - Hosts: 255.255.255.255 www.pandasoftware.com
O1 - Hosts: 255.255.255.255 virusscan.jotti.org
O1 - Hosts: 255.255.255.255 kaspersky.com/scanforvirus
O1 - Hosts: 255.255.255.255 kaspersky.com/scanforvirus
O1 - Hosts: 255.255.255.255 www.symantec.com
O1 - Hosts: 255.255.255.255 securityresponse.symantec.com
O1 - Hosts: 255.255.255.255 symantec.com
O1 - Hosts: 255.255.255.255 mcafee.com
O1 - Hosts: 255.255.255.255 sophos.com
O1 - Hosts: 255.255.255.255 liveupdate.symantecliveupdate.com
O1 - Hosts: 255.255.255.255 viruslist.com
O1 - Hosts: 255.255.255.255 f-secure.com
O1 - Hosts: 255.255.255.255 kaspersky.com
O1 - Hosts: 255.255.255.255 kaspersky-labs.com
O1 - Hosts: 255.255.255.255 www.avp.com
O1 - Hosts: 255.255.255.255 networkassociates.com
O1 - Hosts: 255.255.255.255 ca.com
O1 - Hosts: 255.255.255.255 mast.mcafee.com
O1 - Hosts: 255.255.255.255 my-etrust.com
O1 - Hosts: 255.255.255.255 download.mcafee.com
O1 - Hosts: 255.255.255.255 dispatch.mcafee.com
O1 - Hosts: 255.255.255.255 secure.nai.com
O1 - Hosts: 255.255.255.255 nai.com
O1 - Hosts: 255.255.255.255 vil.nai.com
O1 - Hosts: 255.255.255.255 update.symantec.com
O1 - Hosts: 255.255.255.255 updates.symantec.com
O1 - Hosts: 255.255.255.255 us.mcafee.com
O1 - Hosts: 255.255.255.255 liveupdate.symantec.com
O1 - Hosts: 255.255.255.255 customer.symantec.com
O1 - Hosts: 255.255.255.255 rads.mcafee.com
O1 - Hosts: 255.255.255.255 grisoft.com
O1 - Hosts: 255.255.255.255 microsoft.com
O1 - Hosts: 255.255.255.255 norton-anti-virus-ic.com
O1 - Hosts: 255.255.255.255 drsolomon.com
O1 - Hosts: 255.255.255.255 europe.f-secure.com
O1 - Hosts: 255.255.255.255 ftp.symantec.com
O1 - Hosts: 255.255.255.255 trend.com
O1 - Hosts: 255.255.255.255 antivirus.com
O1 - Hosts: 255.255.255.255 pspl.com
O1 - Hosts: 255.255.255.255 commandcom.com
O1 - Hosts: 255.255.255.255 avp.ch
O1 - Hosts: 255.255.255.255 www.pandasoftware.com
O1 - Hosts: 255.255.255.255 virusscan.jotti.org
O1 - Hosts: 255.255.255.255 kaspersky.com/scanforvirus
O1 - Hosts: 255.255.255.255 kaspersky.com/scanforvirus
O1 - Hosts: 255.255.255.255 www.symantec.com
O1 - Hosts: 255.255.255.255 securityresponse.symantec.com
O1 - Hosts: 255.255.255.255 symantec.com
O1 - Hosts: 255.255.255.255 mcafee.com
O1 - Hosts: 255.255.255.255 sophos.com
O1 - Hosts: 255.255.255.255 liveupdate.symantecliveupdate.com
O1 - Hosts: 255.255.255.255 viruslist.com
O1 - Hosts: 255.255.255.255 f-secure.com
O1 - Hosts: 255.255.255.255 kaspersky.com
O1 - Hosts: 255.255.255.255 kaspersky-labs.com
O1 - Hosts: 255.255.255.255 www.avp.com
O1 - Hosts: 255.255.255.255 networkassociates.com
O1 - Hosts: 255.255.255.255 ca.com
O1 - Hosts: 255.255.255.255 mast.mcafee.com
O1 - Hosts: 255.255.255.255 my-etrust.com
O1 - Hosts: 255.255.255.255 download.mcafee.com
O1 - Hosts: 255.255.255.255 dispatch.mcafee.com
O1 - Hosts: 255.255.255.255 secure.nai.com
O1 - Hosts: 255.255.255.255 nai.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [LSASS] C:\WINDOWS\system32\drivers\LSASS.EXE
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\system32\drivers\CSRSS.EXE
O4 - HKLM\..\Run: [SERVICES] C:\WINDOWS\system32\drivers\SERVICES.EXE
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [SMSS] C:\WINDOWS\system32\drivers\SMSS.EXE
O4 - HKLM\..\RunServices: [LSASS] C:\WINDOWS\system32\drivers\LSASS.EXE
O4 - HKLM\..\RunServices: [CSRSS] C:\WINDOWS\system32\drivers\CSRSS.EXE
O4 - HKLM\..\RunServices: [SERVICES] C:\WINDOWS\system32\drivers\SERVICES.EXE
O4 - HKLM\..\RunServices: [SMSS] C:\WINDOWS\system32\drivers\SMSS.EXE
O4 - HKCU\..\Run: [CSRSS] C:\WINDOWS\system32\drivers\CSRSS.EXE
O4 - HKCU\..\Run: [LSASS] C:\WINDOWS\system32\drivers\LSASS.EXE
O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\system32\drivers\SERVICES.EXE
O4 - HKCU\..\Run: [SMSS] C:\WINDOWS\system32\drivers\SMSS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVUPD32_EN.VBS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CTFFMON - CTFFMON.dll (file missing)
O20 - Winlogon Notify: win_spool - win_spool.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--------------------------------

Hope you can help me..I am waiting for you Malware Experts to help! :thumbsup: Take your time no hurrys..I know that my computer is ful of virus and it is loading very slow now..Also I have just scanned my computer with Ad-Adware,Spybot & BitDefender.I enabled my firewall and have HijackThis in my computer..HouseCall & Panda Anti Virus website cannot open for me..Don't know why..But nevermind,just teach me how to delete can already!

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 11 December 2005 - 02:26 PM

You in really bad shape!!!!!

Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

Now see if you can get the Free AVG AntiVIrus as you have no realtime protection

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 12 December 2005 - 12:52 AM

WOW!I can't believe it..I though it was just an illusion..133 Virus File Cleaned!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:31:07 PM, 12/12/2005
+ Report-Checksum: AE33BF7E

+ Scan result:

C:\WINDOWS\SYSTEM32\DRIVERS\SERVICES.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\LSASS.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\CSRSS.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\SMSS.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\FOUND.017\FILE0006.CHK -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\EDWIN SIN\Cookies\edwin sin@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\EDWIN SIN\Cookies\edwin sin@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\EDWIN SIN\Cookies\edwin sin@ehg-kodak.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\EDWIN SIN\Cookies\edwin sin@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Edwin\Local Settings\Temp\SERVICES.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\Documents and Settings\Edwin\Cookies\edwin@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Edwin\to.exe -> Dropper.VB.is : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP440\A0222514.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP441\A0222531.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0222569.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0223567.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0223568.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0224564.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0224581.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0225580.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0225588.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP442\A0225962.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP454\A0239945.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP455\A0240944.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP456\A0241944.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP456\A0242946.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP426\A0216063.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP426\A0216064.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP426\A0217063.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP426\A0217064.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0217491.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0217511.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0217514.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0217528.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0218523.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0218525.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0219529.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP428\A0219550.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP430\A0219609.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP430\A0219610.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP430\A0219642.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP430\A0219643.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP431\A0220048.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP431\A0220049.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP432\A0220065.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP433\A0220083.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP433\A0220102.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP433\A0220118.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP433\A0220119.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220146.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220147.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220164.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220180.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220201.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP434\A0220255.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP435\A0220278.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP435\A0221276.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP436\A0222275.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP436\A0222295.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP436\A0222296.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP437\A0222321.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP437\A0222337.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP438\A0222365.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP438\A0222382.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP438\A0222399.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP438\A0222404.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222441.exe -> Adware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222442.dll -> Trojan.Agent.db : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222443.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222459.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222461.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP439\A0222478.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0226017.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0226019.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227039.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227040.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227059.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227060.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227077.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP443\A0227078.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0227110.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0227111.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0228076.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0228077.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0228098.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0228099.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0229098.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0229099.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0229117.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0229118.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0230117.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP444\A0230118.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0230150.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0230151.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0230154.exe -> Adware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0230155.dll -> Trojan.Agent.db : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0230156.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0231155.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0231157.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0231231.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP445\A0231237.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP446\A0232234.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP446\A0232240.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP446\A0232266.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232274.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232286.dll -> Trojan.Agent.ic : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232290.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232294.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232295.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232304.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232305.EXE -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0232306.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0233304.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP447\A0233306.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP448\A0233317.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP448\A0233332.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP449\A0234332.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0236344.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0237343.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0238343.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0238385.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0238393.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP451\A0238415.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238429.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238451.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238452.exe -> Dropper.Paradrop.a : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238453.exe -> Dropper.Paradrop.a : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238454.exe -> Dropper.Paradrop.a : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0238467.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0239477.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP452\A0239488.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP453\A0239511.EXE -> Heuristic.Win32.AVKiller : Cleaned with backup


::Report End

------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:38:59 PM, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Edwin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CSRSS] C:\WINDOWS\system32\drivers\CSRSS.EXE
O4 - HKCU\..\Run: [LSASS] C:\WINDOWS\system32\drivers\LSASS.EXE
O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\system32\drivers\SERVICES.EXE
O4 - HKCU\..\Run: [SMSS] C:\WINDOWS\system32\drivers\SMSS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVUPD32_EN.VBS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CTFFMON - CTFFMON.dll (file missing)
O20 - Winlogon Notify: win_spool - win_spool.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Bleh..Computer loaded A BIT Faster..

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 12 December 2005 - 09:39 AM

Please post the next log from Normal NOT safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto

O4 - HKCU\..\Run: [CSRSS] C:\WINDOWS\system32\drivers\CSRSS.EXE

O4 - HKCU\..\Run: [LSASS] C:\WINDOWS\system32\drivers\LSASS.EXE

O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\system32\drivers\SERVICES.EXE

O4 - HKCU\..\Run: [SMSS] C:\WINDOWS\system32\drivers\SMSS.EXE

O4 - Global Startup: AVUPD32_EN.VBS

O20 - Winlogon Notify: CTFFMON - CTFFMON.dll (file missing)

O20 - Winlogon Notify: win_spool - win_spool.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\drivers\CSRSS.EXE
C:\WINDOWS\system32\drivers\LSASS.EXE
C:\WINDOWS\system32\drivers\SERVICES.EXE
C:\WINDOWS\system32\drivers\SMSS.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Now paste these folders in and then make sure Deltree is checked before hitting the red x

C:\Program Files\winupdate

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot
Do this

http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 12 December 2005 - 10:24 PM

I was just wondering why i cannot fix "O4 - Global Startup: AVUPD32_EN.VBS" in HiJackThis.My computer still loading very slow..And Also I can't delete..:\WINDOWS\system32\drivers\CSRSS.EXE C:\WINDOWS\system32\drivers\LSASS.EXE C:\WINDOWS\system32\drivers\SERVICES.EXE C:\WINDOWS\system32\drivers\SMSS.EXE & C:\Program Files\winupdate!It kept saying it doesn't exist..But nevermind here is the log.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 13, 2005 11:16:42
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/12/2005
Kaspersky Anti-Virus database records: 154858
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\

Scan Statistics:
Total number of scanned objects: 39191
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 3804 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\wsock32.sys Infected: Backdoor.Win32.Ciadoor.13
C:\WINDOWS\SYSTEM32\scvhost.exe Infected: Backdoor.Win32.Ciadoor.13
C:\WINDOWS\SYSTEM32\3Q8elvTeoQ.ini Infected: Backdoor.Win32.Ciadoor.13
C:\Documents and Settings\Edwin\Application Data\Thunderbird\Profiles\2qyrgyg0.default\Mail\Local Folders\Trash/[From eh.forg0t@gmail.com][Date Sat, 16 Jul 2005 00:08:14 -0700]/text/[From Edwin Sin <eh.forg0t@gmail.com>][Date Fri, 05 Aug 2005 14:58:28 +0800]/Click-Catch.zip/Click-Catch.exe/rinst.exe Infected: Trojan.Win32.KillAV.gc
C:\Documents and Settings\Edwin\Application Data\Thunderbird\Profiles\2qyrgyg0.default\Mail\Local Folders\Trash/[From eh.forg0t@gmail.com][Date Sat, 16 Jul 2005 00:08:14 -0700]/text/[From Edwin Sin <eh.forg0t@gmail.com>][Date Fri, 05 Aug 2005 14:58:28 +0800]/Click-Catch.zip/Click-Catch.exe Infected: Trojan.Win32.KillAV.gc
C:\Documents and Settings\Edwin\Application Data\Thunderbird\Profiles\2qyrgyg0.default\Mail\Local Folders\Trash/[From eh.forg0t@gmail.com][Date Sat, 16 Jul 2005 00:08:14 -0700]/text/[From Edwin Sin <eh.forg0t@gmail.com>][Date Fri, 05 Aug 2005 14:58:28 +0800]/Click-Catch.zip Infected: Trojan.Win32.KillAV.gc
C:\Documents and Settings\Edwin\Application Data\Thunderbird\Profiles\2qyrgyg0.default\Mail\Local Folders\Trash/[From eh.forg0t@gmail.com][Date Sat, 16 Jul 2005 00:08:14 -0700]/text Infected: Trojan.Win32.KillAV.gc
C:\Documents and Settings\Edwin\Application Data\Thunderbird\Profiles\2qyrgyg0.default\Mail\Local Folders\Trash Infected: Trojan.Win32.KillAV.gc
C:\System Volume Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP431\A0220038.exe Infected: Trojan.Win32.Stervis.l
C:\System Volume
Information\_restore{1D891DDD-DAFB-47FC-B54A-1A7AEC092F5E}\RP438\A0222436.dll Infected: Trojan.Win32.Agent.db

Scan process completed.

------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:26:41 AM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Edwin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVUPD32_EN.VBS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 13 December 2005 - 06:26 PM

Go to

C:\Documents and Settings\All Users\Start Menu

And remove that entry

You may have to go to, in Windows Explorer, tools - options - view and enable show hidden files/folders
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 December 2005 - 09:48 PM

Erm..I enabled show hidden files/folders..But when i go C:\Documents and Settings\All Users\Start Menu,i cant find anything!Only See "Program"

Here is a new log from HJT!

Logfile of HijackThis v1.99.1
Scan saved at 10:45:12 AM, on 12/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Edwin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVUPD32_EN.VBS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 14 December 2005 - 11:20 AM

Use kill box as we did before to delete

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AVUPD32_EN.VBS
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 December 2005 - 08:25 PM

Good..I deleted it!I also fix some things with HJT as i followed this website..http://forums.spywareinfo.com/lofiversion/index.php/t46585.html..But Nevermind,here is my new log..See if there is any virus..I go try if my computer is loading back to normal or slow again..

Just to tell you that there is an extra rundll32.exe appear in my Running processes is because i cannot find my CD-Rom thingy..Like once i put in a CD,nothing will happen is because some virus damage the registry and cause it not to work.I am now figuring how to make it work.Every startup,rundll32.exe will keep saying "Found New HardDrive..Media"

Logfile of HijackThis v1.99.1
Scan saved at 9:16:49 AM, on 12/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Edwin\Desktop\XhiddenX Dumps\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 14 December 2005 - 08:34 PM

What have you done - AVG is no longer there - you should not run without an active Antivirus

Get all of these and/or verify you have the current versions

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 December 2005 - 09:24 PM

Ok Ok..I keep AVG is my Active AntiVirus..But after i scanned all and posted all the logs here,Can i delete them except AVG..=X

Also,thanks for your quick respond..

Edited by Forg0t, 14 December 2005 - 10:24 PM.


#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 14 December 2005 - 09:28 PM

Don't understand your response - AVG was not in the last log

Get those tools I listed, check for updates - run them fixing all

boot and post a new log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 December 2005 - 10:25 PM

How do i scan with SpywareBlaster??

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 14 December 2005 - 10:27 PM

You don't it sits in the background protecting you - all you need to do is check it for updates and enable protection
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 Forg0t

Forg0t
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 December 2005 - 10:33 PM

OK Good..My Computer is loading a bit more faster..here is a new log..

Logfile of HijackThis v1.99.1
Scan saved at 11:29:45 AM, on 12/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Edwin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.google.com.sg
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users