Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Ad.oinadserver Popups


  • Please log in to reply
11 replies to this topic

#1 aph

aph

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 April 2006 - 09:40 AM

Hi guys

I've followed the instructions prior to joining up with these boards, so I sincerely hope you can help.

I am constantly getting popups with ad.oinadserver.com... and this is probably due to my carelessness. Yah. Noobville - population: me.

Below is my HijackThis log

Thanks in advance...

Logfile of HijackThis v1.99.1
Scan saved at 12:05:05 AM, on 19/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\SSEMBL~1\smss.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\r?ndll.exe
C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
R3 - URLSearchHook: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll
R3 - URLSearchHook: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07CC50B2-BA5A-D8A9-2C09-B7CE64B8BBEB} - C:\WINDOWS\system32\ebensk.dll (file missing)
O2 - BHO: (no name) - {108AE18C-5265-6297-42CA-5BA021FFFDEA} - C:\WINDOWS\system32\luxe.dll (file missing)
O2 - BHO: (no name) - {118AE1FC-5264-67E3-42C3-24A05CF6FD92} - C:\WINDOWS\system32\luxe.dll (file missing)
O2 - BHO: (no name) - {22945997-E55E-8180-232A-BDCE1FEFE89A} - C:\WINDOWS\system32\ntcsq.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {EE5B04B0-E208-D3F0-7DEF-BC9EF13151B8} - C:\WINDOWS\system32\ump.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Cudhv] C:\WINDOWS\system32\r?ndll.exe
O4 - HKCU\..\Run: [Huot] "C:\WINDOWS\SSEMBL~1\smss.exe" -vt wnew
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120782608999
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 23 April 2006 - 01:56 PM

Hello there,

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll
R3 - URLSearchHook: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll
O2 - BHO: (no name) - {07CC50B2-BA5A-D8A9-2C09-B7CE64B8BBEB} - C:\WINDOWS\system32\ebensk.dll (file missing)
O2 - BHO: (no name) - {108AE18C-5265-6297-42CA-5BA021FFFDEA} - C:\WINDOWS\system32\luxe.dll (file missing)
O2 - BHO: (no name) - {118AE1FC-5264-67E3-42C3-24A05CF6FD92} - C:\WINDOWS\system32\luxe.dll (file missing)
O2 - BHO: (no name) - {22945997-E55E-8180-232A-BDCE1FEFE89A} - C:\WINDOWS\system32\ntcsq.dll (file missing)
O2 - BHO: (no name) - {EE5B04B0-E208-D3F0-7DEF-BC9EF13151B8} - C:\WINDOWS\system32\ump.dll (file missing)
O4 - HKCU\..\Run: [Cudhv] C:\WINDOWS\system32\r?ndll.exe
O4 - HKCU\..\Run: [Huot] "C:\WINDOWS\SSEMBL~1\smss.exe" -vt wnew


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please reboot back to normal mode and open notepad and copy and paste next in it:

cd\
cd C:\Windows
dir /x > C:\directory.txt
dir C:\WINDOWS\system32\r?ndll.exe /a h >> C:\directory.txt
start C:\directory.txt
exit

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here, and post a new Hijackthis log and the ewido log.
David

#3 aph

aph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 24 April 2006 - 05:57 AM

hi and many thanks for your time :thumbsup:

below is my windows directory

Volume in drive C has no label.
Volume Serial Number is 08FE-2081

Directory of C:\WINDOWS

20/04/2006 10:34 PM <DIR> .
20/04/2006 10:34 PM <DIR> ..
24/04/2006 08:09 PM 0 0.log
18/01/2002 05:42 PM 112 ACTIVE~1.INI ActiveSkin.INI
11/05/2005 08:40 PM <DIR> addins
05/09/2003 03:49 PM 64,512 agrsmdel.exe
23/09/2003 06:36 PM 88,363 AGRSMMSG.exe
11/05/2005 08:45 PM <DIR> AppPatch
04/08/2004 09:30 PM 1,272 BLUELA~1.BMP Blue Lace 16.bmp
18/09/2005 01:46 PM 1,227 cdPlayer.ini
11/05/2005 11:12 AM 571 chipset.log
04/08/2004 09:30 PM 82,944 clock.avi
11/05/2005 10:52 AM 200 cmsetacl.log
04/08/2004 09:30 PM 17,062 COFFEE~1.BMP Coffee Bean.bmp
08/07/2005 10:12 AM 1,446 COM_~1.LOG COM+.log
17/04/2006 12:11 AM 133,738 comsetup.log
11/05/2005 08:40 PM <DIR> Config
11/05/2005 08:40 PM <DIR> CONNEC~1 Connection Wizard
11/05/2005 10:57 AM 0 control.ini
11/05/2005 10:53 AM <DIR> Cursors
11/05/2005 12:06 PM <DIR> Debug
04/08/2004 09:30 PM 2 desktop.ini
11/12/2005 03:54 PM 142 DINKSM~1.INI dinksmallwood.ini
01/02/2006 11:01 AM 103,086 DirectX.log
11/05/2005 12:37 PM <DIR> DOWNLO~2 Downloaded Installations
11/05/2005 11:14 AM <DIR> DRIVER~1 Driver Cache
22/07/2005 02:28 PM 641 DTCINS~1.LOG DtcInstall.log
04/08/2004 09:30 PM 1,032,192 explorer.exe
04/08/2004 09:30 PM 80 explorer.scf
17/04/2006 12:11 AM 371,372 FaxSetup.log
04/08/2004 09:30 PM 16,730 FEATHE~1.BMP FeatherTexture.bmp
20/11/2003 10:38 AM 178 FILESP~1 filespecrt2500qa
04/08/2004 09:30 PM 17,336 GONEFI~1.BMP Gone Fishing.bmp
04/08/2004 09:30 PM 26,582 GREENS~1.BMP Greenstone.bmp
24/07/2005 03:14 PM <DIR> Help
27/05/2005 08:52 AM 10,752 hh.exe
17/04/2006 12:11 AM 60,183 iis6.log
11/05/2005 10:58 AM <DIR> ime
17/04/2006 12:10 AM 1,374 imsins.BAK
17/04/2006 12:11 AM 1,374 imsins.log
29/10/1998 04:15 PM 306,688 IsUninst.exe
11/05/2005 08:40 PM <DIR> java
07/11/2005 10:23 PM 659 KB833680.log
11/05/2005 12:13 PM 16,992 KB873333.log
11/05/2005 12:18 PM 16,280 KB873339.log
08/07/2005 10:02 AM 17,698 KB883939.log
11/05/2005 12:20 PM 17,023 KB885250.log
11/05/2005 12:22 PM 17,432 KB885835.log
11/05/2005 12:21 PM 16,302 KB885836.log
11/05/2005 12:11 PM 10,248 KB886185.log
11/05/2005 12:15 PM 16,380 KB887472.log
11/05/2005 12:16 PM 16,973 KB887742.log
11/05/2005 12:37 PM 10,031 KB887797.log
11/05/2005 12:37 PM 11,906 KB888113.log
11/05/2005 12:12 PM 14,577 KB888302.log
08/07/2005 10:12 AM 26,231 KB890046.log
11/05/2005 12:19 PM 16,429 KB890175.log
11/05/2005 12:39 PM 20,338 KB890859.log
11/05/2005 12:10 PM 16,354 KB890923.log
11/05/2005 12:14 PM 16,469 KB891781.log
08/07/2005 10:02 AM 32,144 KB893066.log
11/05/2005 12:08 PM 12,585 KB893086.log
18/08/2005 07:44 PM 17,627 KB893756.log
14/06/2005 12:11 PM 7,132 KB8938~1.LOG KB893803v2.log
18/08/2005 07:44 PM 14,412 KB894391.log
08/07/2005 10:12 AM 13,228 KB896344.log
08/07/2005 10:01 AM 12,138 KB896358.log
08/07/2005 10:02 AM 12,213 KB896422.log
15/08/2005 08:24 PM 12,023 KB896423.log
19/11/2005 04:15 PM 11,873 KB896424.log
08/07/2005 10:02 AM 11,469 KB896428.log
06/11/2005 08:07 PM 12,856 KB896688.log
18/08/2005 07:44 PM 18,834 KB896727.log
08/07/2005 10:02 AM 12,445 KB898461.log
15/08/2005 08:25 PM 12,513 KB899587.log
15/08/2005 08:23 PM 12,140 KB899588.log
15/08/2005 08:24 PM 12,013 KB899591.log
06/11/2005 05:56 PM 16,117 KB900725.log
06/11/2005 08:08 PM 25,618 KB901017.log
24/07/2005 02:00 PM 10,049 KB901214.log
06/11/2005 08:08 PM 25,853 KB902400.log
24/07/2005 02:00 PM 3,791 KB903235.log
06/11/2005 08:07 PM 17,810 KB904706.log
06/11/2005 08:07 PM 18,409 KB905414.log
06/11/2005 08:07 PM 18,444 KB905749.log
21/01/2006 07:11 PM 16,527 KB905915.log
21/01/2006 09:26 AM 10,277 KB908519.log
17/04/2006 12:11 AM 14,975 KB908531.log
21/01/2006 07:11 PM 9,416 KB910437.log
17/04/2006 12:10 AM 14,178 KB911562.log
15/02/2006 10:26 PM 8,892 KB911564.log
17/04/2006 12:10 AM 17,571 KB911565.log
17/04/2006 12:09 AM 10,791 KB911567.log
15/02/2006 10:27 PM 11,193 KB911927.log
19/03/2006 11:04 AM 4,094 KB912475.log
17/04/2006 12:10 AM 17,412 KB912812.log
21/01/2006 09:26 AM 11,135 KB912919.log
15/02/2006 10:25 PM 7,119 KB913446.log
26/08/2005 07:35 PM 88 Label7
23/07/2005 02:17 PM <DIR> Media
25/07/2005 07:36 PM <DIR> MICROS~1.NET Microsoft.NET
31/07/2005 06:57 PM <DIR> Minidump
06/02/2006 05:18 PM 11,016 MODEML~1.TXT ModemLog_Agere Systems AC'97 Modem.txt
22/01/2006 07:04 PM 3,423 mozver.dat
08/07/2005 10:12 AM <DIR> msagent
23/07/2005 02:15 PM <DIR> msapps
04/08/2004 09:30 PM 1,405 msdfmap.ini
17/04/2006 12:11 AM 19,133 msgsocm.log
11/05/2005 08:40 PM <DIR> mui
09/04/2006 02:22 PM 49 NERODI~1.INI NeroDigital.ini
04/08/2004 09:30 PM 69,120 NOTEPAD.EXE
03/08/2005 01:57 PM 0 nsreg.dat
07/11/2005 09:08 PM 270 nsw.log
24/04/2006 07:05 PM 430,342 ntbtlog.txt
17/04/2006 12:11 AM 79,771 NTDTCS~1.LOG ntdtcsetup.log
17/04/2006 12:11 AM 189,439 ocgen.log
17/04/2006 12:11 AM 20,633 ocmsn.log
23/07/2005 02:18 PM 376 ODBC.INI
11/05/2005 10:57 AM 4,161 ODBCINST.INI
22/07/2005 02:30 PM 1,178 OEWABLog.txt
11/05/2005 10:56 AM <DIR> OFFLIN~1 Offline Web Pages
28/07/2005 06:55 PM 56,041 OMEGAD~1.TXT Omega Drivers Log.txt
11/05/2005 11:14 AM <DIR> Options
11/05/2005 01:30 PM <DIR> pchealth
11/05/2005 08:45 PM <DIR> PeerNet
04/08/2004 09:30 PM 65,954 PRAIRI~1.BMP Prairie Wind.bmp
24/04/2006 07:00 PM <DIR> Prefetch
11/05/2005 08:40 PM <DIR> PROVIS~1 Provisioning
26/01/2006 06:56 PM 1,409 QTFont.for
04/08/2004 09:30 PM 146,432 regedit.exe
11/05/2005 12:38 PM <DIR> REGIST~2 RegisteredPackages
28/07/2005 09:47 PM <DIR> REGIST~1 Registration
11/05/2005 11:01 AM 8,192 REGLOCS.OLD
22/07/2005 02:27 PM 3,420 regopt.log
12/07/2005 03:49 PM <DIR> repair
11/05/2005 08:40 PM <DIR> RESOUR~1 Resources
04/08/2004 09:30 PM 17,362 RHODOD~1.BMP Rhododendron.bmp
04/08/2004 09:30 PM 26,680 RIVERS~1.BMP River Sumida.bmp
04/08/2004 09:30 PM 65,832 SANTAF~1.BMP Santa Fe Stucco.bmp
24/04/2006 07:04 PM 32,194 SchedLgU.Txt
22/07/2005 02:50 PM <DIR> security
22/07/2005 02:29 PM 4,539 SESSMG~1.LOG sessmgr.setup.log
04/08/2004 09:30 PM 1,042,903 SET3.tmp
04/08/2004 09:30 PM 1,086,058 SET4.tmp
04/08/2004 09:30 PM 13,753 SET8.tmp
19/04/2006 12:00 AM 167,643 setupact.log
24/04/2006 06:37 PM 200,047 setupapi.log
29/10/2005 03:55 PM 1,102,003 SETUPA~1.OLD setupapi.log.0.old
11/05/2005 08:46 PM 0 setuperr.log
23/07/2005 06:41 PM 897,857 setuplog.txt
11/05/2005 12:29 PM 156,466 SetupWLD.log
23/07/2005 02:17 PM <DIR> ShellNew
23/07/2005 07:06 PM 564 SIERRA.INI
12/07/2005 03:46 PM 61 smscfg.ini
04/08/2004 09:30 PM 65,978 SOAPBU~1.BMP Soap Bubbles.bmp
23/07/2005 05:59 PM <DIR> SOFTWA~1 SoftwareDistribution
23/07/2005 07:17 PM <DIR> solcache
17/04/2006 04:27 PM 1,829 spupdsvc.log
11/05/2005 10:56 AM <DIR> srchasst
11/05/2005 08:51 PM 0 STI_TR~1.LOG Sti_Trace.log
22/01/2006 07:04 PM <DIR> Sun
14/06/2005 12:23 PM 1,317 SynInst.log
23/07/2005 02:15 PM <DIR> system
15/01/2006 08:16 PM 268 System.ini
24/04/2006 08:05 PM <DIR> system32
04/08/2004 09:30 PM 15,360 TASKMAN.EXE
24/04/2006 08:11 PM <DIR> Temp
17/04/2006 12:11 AM 152,147 tsoc.log
04/08/2004 09:30 PM 94,784 twain.dll
11/05/2005 08:42 PM <DIR> twain_32
04/08/2004 09:30 PM 50,688 twain_32.dll
04/08/2004 09:30 PM 49,680 twunk_16.exe
04/08/2004 09:30 PM 25,600 twunk_32.exe
03/08/2005 01:57 PM 99,970 UNINST~1.EXE UninstallFirefox.exe
10/11/1999 11:05 AM 86,016 UNVISE~1.EXE unvise32qt.exe
17/04/2006 12:11 AM 33,701 updspapi.log
11/05/2005 10:54 AM 36 vb.ini
23/07/2005 02:18 PM 59 vbaddin.ini
04/08/2004 09:30 PM 18,944 vmmreg32.dll
11/05/2005 10:56 AM <DIR> Web
08/04/2006 01:46 PM 216 wiadebug.log
08/04/2006 01:46 PM 49 wiaservc.log
23/07/2005 02:18 PM 573 win.ini
24/04/2006 08:09 PM 1,073,863 WINDOW~1.LOG WindowsUpdate.log
04/08/2004 09:30 PM 256,192 winhelp.exe
04/08/2004 09:30 PM 283,648 winhlp32.exe
11/05/2005 12:29 PM <DIR> WinSxS
18/04/2006 11:36 PM 57,356 wmsetup.log
23/07/2005 09:13 PM 379 WMSETU~1.LOG wmsetup10.log
11/05/2005 12:38 PM 316,640 WMSysPr9.prx
04/08/2004 09:30 PM 9,522 Zapotec.bmp
04/08/2004 09:30 PM 707 _default.pif
20/04/2006 10:34 PM <DIR> DOBE~2 ?dobe
18/04/2006 07:37 PM <DIR> ASKS~1 ?asks
19/04/2006 08:35 PM <DIR> MBOLS~1 ??mbols
15/02/2006 10:14 PM <DIR> DOBE~1 ?dobe
19/04/2006 08:33 PM <DIR> SSEMBL~1 ?ssembly
151 File(s) 11,767,133 bytes
46 Dir(s) 18,463,948,800 bytes free
Volume in drive C has no label.
Volume Serial Number is 08FE-2081

Directory of C:\WINDOWS\system32


Directory of C:\WINDOWS

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:20 PM, on 24/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
O1 - Hosts: --
O1 - Hosts: Karma is a fusion of serendipity and either malicious or generous individuals.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120782608999
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

and finally... the ewido scan report

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:06:23 PM, 24/04/2006
+ Report-Checksum: 906F2041

+ Scan result:

:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.23:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.24:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.25:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.26:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.27:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.54:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.58:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.59:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.60:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.61:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.62:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.68:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.76:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.89:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.90:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.91:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.103:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.106:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.113:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.118:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.134:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.135:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.136:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.137:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.138:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.139:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.140:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.141:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.142:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.143:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.144:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.145:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.177:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.178:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.220:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.224:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.231:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.233:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.234:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.235:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.236:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.256:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.257:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.258:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.268:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.285:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.286:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.287:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.288:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.289:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.292:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup
:mozilla.295:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.296:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.334:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.367:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.368:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@e-2dj6wglyuiazkgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\WINDOWS\system32\hggsvkk.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\rυndll.exe -> Adware.PurityScan : Cleaned with backup


::Report End

thanks again for your help :flowers:

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 24 April 2006 - 11:47 AM

Hi there aph,

The results you posted are just what I wanted to see. The infection you have is PurityScan, which does a pretty nasty trick of useing ? question marks to hide letters of folders. We have to delete 5 rogue folders in your C:\Windows folder. Please navigate to this folder now.

The folders you are looking for do not actually have question marks in them when you see them in the folder, and will have a letter in place of them. So I want you to find and delete the following folders in your C:\Windows directory:

?ssembly <--most likely to be 'assembly'
?dobe <--'adobe'
??mbols <--'symbols'
?asks <--'tasks'
?dobe <--'adobe'

So the question mark will be replaced by a letter that most likely creates a work. Eg in ??mbols the questions marks will most likely hide the 's' and the 'y' to make the folder name symbols. In addition, the
?asks will mostly have the question mark in replace of a 't' to make the word tasks. Pretty simple I suppose.
If you get two folders under the same name, eg if you find two folders named "tasks" then please leave them and let me know those folder names. I'm pretty sure you won't find any duplicated but let me know if you do. This infection is pretty new so i'm still getting used to it, so if you don't really understand then let me know and i'll get someone to try and explain it a bit better for you :thumbsup:

If you can't find any of the folders, don't worry and just let me know.
Now please delete this file:
C:\directory.txt

After doing all you can please reboot your computer and post back with a new Hijackthis log and also run that customised batch I got you to run in my first post (look.bat).

Good luck, David.

Edited by D-Trojanator, 27 April 2006 - 11:00 AM.


#5 aph

aph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 25 April 2006 - 02:49 AM

THanks again :thumbsup:

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:13:41 PM, on 25/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
O1 - Hosts: --
O1 - Hosts: Karma is a fusion of serendipity and either malicious or generous individuals.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120782608999
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

and the new directory:

Volume in drive C has no label.
Volume Serial Number is 08FE-2081

Directory of C:\WINDOWS

25/04/2006 05:09 PM <DIR> .
25/04/2006 05:09 PM <DIR> ..
25/04/2006 05:12 PM 0 0.log
18/01/2002 05:42 PM 112 ACTIVE~1.INI ActiveSkin.INI
11/05/2005 08:40 PM <DIR> addins
05/09/2003 03:49 PM 64,512 agrsmdel.exe
23/09/2003 06:36 PM 88,363 AGRSMMSG.exe
11/05/2005 08:45 PM <DIR> AppPatch
04/08/2004 09:30 PM 1,272 BLUELA~1.BMP Blue Lace 16.bmp
18/09/2005 01:46 PM 1,227 cdPlayer.ini
11/05/2005 11:12 AM 571 chipset.log
04/08/2004 09:30 PM 82,944 clock.avi
11/05/2005 10:52 AM 200 cmsetacl.log
04/08/2004 09:30 PM 17,062 COFFEE~1.BMP Coffee Bean.bmp
08/07/2005 10:12 AM 1,446 COM_~1.LOG COM+.log
17/04/2006 12:11 AM 133,738 comsetup.log
11/05/2005 08:40 PM <DIR> Config
11/05/2005 08:40 PM <DIR> CONNEC~1 Connection Wizard
11/05/2005 10:57 AM 0 control.ini
11/05/2005 10:53 AM <DIR> Cursors
11/05/2005 12:06 PM <DIR> Debug
04/08/2004 09:30 PM 2 desktop.ini
11/12/2005 03:54 PM 142 DINKSM~1.INI dinksmallwood.ini
01/02/2006 11:01 AM 103,086 DirectX.log
11/05/2005 12:37 PM <DIR> DOWNLO~2 Downloaded Installations
11/05/2005 11:14 AM <DIR> DRIVER~1 Driver Cache
22/07/2005 02:28 PM 641 DTCINS~1.LOG DtcInstall.log
04/08/2004 09:30 PM 1,032,192 explorer.exe
04/08/2004 09:30 PM 80 explorer.scf
17/04/2006 12:11 AM 371,372 FaxSetup.log
04/08/2004 09:30 PM 16,730 FEATHE~1.BMP FeatherTexture.bmp
20/11/2003 10:38 AM 178 FILESP~1 filespecrt2500qa
04/08/2004 09:30 PM 17,336 GONEFI~1.BMP Gone Fishing.bmp
04/08/2004 09:30 PM 26,582 GREENS~1.BMP Greenstone.bmp
24/07/2005 03:14 PM <DIR> Help
27/05/2005 08:52 AM 10,752 hh.exe
17/04/2006 12:11 AM 60,183 iis6.log
11/05/2005 10:58 AM <DIR> ime
17/04/2006 12:10 AM 1,374 imsins.BAK
17/04/2006 12:11 AM 1,374 imsins.log
29/10/1998 04:15 PM 306,688 IsUninst.exe
11/05/2005 08:40 PM <DIR> java
07/11/2005 10:23 PM 659 KB833680.log
11/05/2005 12:13 PM 16,992 KB873333.log
11/05/2005 12:18 PM 16,280 KB873339.log
08/07/2005 10:02 AM 17,698 KB883939.log
11/05/2005 12:20 PM 17,023 KB885250.log
11/05/2005 12:22 PM 17,432 KB885835.log
11/05/2005 12:21 PM 16,302 KB885836.log
11/05/2005 12:11 PM 10,248 KB886185.log
11/05/2005 12:15 PM 16,380 KB887472.log
11/05/2005 12:16 PM 16,973 KB887742.log
11/05/2005 12:37 PM 10,031 KB887797.log
11/05/2005 12:37 PM 11,906 KB888113.log
11/05/2005 12:12 PM 14,577 KB888302.log
08/07/2005 10:12 AM 26,231 KB890046.log
11/05/2005 12:19 PM 16,429 KB890175.log
11/05/2005 12:39 PM 20,338 KB890859.log
11/05/2005 12:10 PM 16,354 KB890923.log
11/05/2005 12:14 PM 16,469 KB891781.log
08/07/2005 10:02 AM 32,144 KB893066.log
11/05/2005 12:08 PM 12,585 KB893086.log
18/08/2005 07:44 PM 17,627 KB893756.log
14/06/2005 12:11 PM 7,132 KB8938~1.LOG KB893803v2.log
18/08/2005 07:44 PM 14,412 KB894391.log
08/07/2005 10:12 AM 13,228 KB896344.log
08/07/2005 10:01 AM 12,138 KB896358.log
08/07/2005 10:02 AM 12,213 KB896422.log
15/08/2005 08:24 PM 12,023 KB896423.log
19/11/2005 04:15 PM 11,873 KB896424.log
08/07/2005 10:02 AM 11,469 KB896428.log
06/11/2005 08:07 PM 12,856 KB896688.log
18/08/2005 07:44 PM 18,834 KB896727.log
08/07/2005 10:02 AM 12,445 KB898461.log
15/08/2005 08:25 PM 12,513 KB899587.log
15/08/2005 08:23 PM 12,140 KB899588.log
15/08/2005 08:24 PM 12,013 KB899591.log
06/11/2005 05:56 PM 16,117 KB900725.log
06/11/2005 08:08 PM 25,618 KB901017.log
24/07/2005 02:00 PM 10,049 KB901214.log
06/11/2005 08:08 PM 25,853 KB902400.log
24/07/2005 02:00 PM 3,791 KB903235.log
06/11/2005 08:07 PM 17,810 KB904706.log
06/11/2005 08:07 PM 18,409 KB905414.log
06/11/2005 08:07 PM 18,444 KB905749.log
21/01/2006 07:11 PM 16,527 KB905915.log
21/01/2006 09:26 AM 10,277 KB908519.log
17/04/2006 12:11 AM 14,975 KB908531.log
21/01/2006 07:11 PM 9,416 KB910437.log
17/04/2006 12:10 AM 14,178 KB911562.log
15/02/2006 10:26 PM 8,892 KB911564.log
17/04/2006 12:10 AM 17,571 KB911565.log
17/04/2006 12:09 AM 10,791 KB911567.log
15/02/2006 10:27 PM 11,193 KB911927.log
19/03/2006 11:04 AM 4,094 KB912475.log
17/04/2006 12:10 AM 17,412 KB912812.log
21/01/2006 09:26 AM 11,135 KB912919.log
15/02/2006 10:25 PM 7,119 KB913446.log
26/08/2005 07:35 PM 88 Label7
23/07/2005 02:17 PM <DIR> Media
25/07/2005 07:36 PM <DIR> MICROS~1.NET Microsoft.NET
31/07/2005 06:57 PM <DIR> Minidump
06/02/2006 05:18 PM 11,016 MODEML~1.TXT ModemLog_Agere Systems AC'97 Modem.txt
22/01/2006 07:04 PM 3,423 mozver.dat
08/07/2005 10:12 AM <DIR> msagent
23/07/2005 02:15 PM <DIR> msapps
04/08/2004 09:30 PM 1,405 msdfmap.ini
17/04/2006 12:11 AM 19,133 msgsocm.log
11/05/2005 08:40 PM <DIR> mui
09/04/2006 02:22 PM 49 NERODI~1.INI NeroDigital.ini
04/08/2004 09:30 PM 69,120 NOTEPAD.EXE
03/08/2005 01:57 PM 0 nsreg.dat
07/11/2005 09:08 PM 270 nsw.log
24/04/2006 07:05 PM 430,342 ntbtlog.txt
17/04/2006 12:11 AM 79,771 NTDTCS~1.LOG ntdtcsetup.log
17/04/2006 12:11 AM 189,439 ocgen.log
17/04/2006 12:11 AM 20,633 ocmsn.log
23/07/2005 02:18 PM 376 ODBC.INI
11/05/2005 10:57 AM 4,161 ODBCINST.INI
22/07/2005 02:30 PM 1,178 OEWABLog.txt
11/05/2005 10:56 AM <DIR> OFFLIN~1 Offline Web Pages
28/07/2005 06:55 PM 56,041 OMEGAD~1.TXT Omega Drivers Log.txt
11/05/2005 11:14 AM <DIR> Options
11/05/2005 01:30 PM <DIR> pchealth
11/05/2005 08:45 PM <DIR> PeerNet
04/08/2004 09:30 PM 65,954 PRAIRI~1.BMP Prairie Wind.bmp
24/04/2006 10:15 PM <DIR> Prefetch
11/05/2005 08:40 PM <DIR> PROVIS~1 Provisioning
26/01/2006 06:56 PM 1,409 QTFont.for
04/08/2004 09:30 PM 146,432 regedit.exe
11/05/2005 12:38 PM <DIR> REGIST~2 RegisteredPackages
28/07/2005 09:47 PM <DIR> REGIST~1 Registration
11/05/2005 11:01 AM 8,192 REGLOCS.OLD
22/07/2005 02:27 PM 3,420 regopt.log
12/07/2005 03:49 PM <DIR> repair
11/05/2005 08:40 PM <DIR> RESOUR~1 Resources
04/08/2004 09:30 PM 17,362 RHODOD~1.BMP Rhododendron.bmp
04/08/2004 09:30 PM 26,680 RIVERS~1.BMP River Sumida.bmp
04/08/2004 09:30 PM 65,832 SANTAF~1.BMP Santa Fe Stucco.bmp
25/04/2006 05:11 PM 32,272 SchedLgU.Txt
22/07/2005 02:50 PM <DIR> security
22/07/2005 02:29 PM 4,539 SESSMG~1.LOG sessmgr.setup.log
04/08/2004 09:30 PM 1,042,903 SET3.tmp
04/08/2004 09:30 PM 1,086,058 SET4.tmp
04/08/2004 09:30 PM 13,753 SET8.tmp
19/04/2006 12:00 AM 167,643 setupact.log
25/04/2006 05:14 PM 202,928 setupapi.log
29/10/2005 03:55 PM 1,102,003 SETUPA~1.OLD setupapi.log.0.old
11/05/2005 08:46 PM 0 setuperr.log
23/07/2005 06:41 PM 897,857 setuplog.txt
11/05/2005 12:29 PM 156,466 SetupWLD.log
23/07/2005 02:17 PM <DIR> ShellNew
23/07/2005 07:06 PM 564 SIERRA.INI
12/07/2005 03:46 PM 61 smscfg.ini
04/08/2004 09:30 PM 65,978 SOAPBU~1.BMP Soap Bubbles.bmp
23/07/2005 05:59 PM <DIR> SOFTWA~1 SoftwareDistribution
23/07/2005 07:17 PM <DIR> solcache
17/04/2006 04:27 PM 1,829 spupdsvc.log
11/05/2005 10:56 AM <DIR> srchasst
11/05/2005 08:51 PM 0 STI_TR~1.LOG Sti_Trace.log
22/01/2006 07:04 PM <DIR> Sun
14/06/2005 12:23 PM 1,317 SynInst.log
23/07/2005 02:15 PM <DIR> system
15/01/2006 08:16 PM 268 System.ini
24/04/2006 08:05 PM <DIR> system32
04/08/2004 09:30 PM 15,360 TASKMAN.EXE
25/04/2006 05:13 PM <DIR> Temp
17/04/2006 12:11 AM 152,147 tsoc.log
04/08/2004 09:30 PM 94,784 twain.dll
11/05/2005 08:42 PM <DIR> twain_32
04/08/2004 09:30 PM 50,688 twain_32.dll
04/08/2004 09:30 PM 49,680 twunk_16.exe
04/08/2004 09:30 PM 25,600 twunk_32.exe
03/08/2005 01:57 PM 99,970 UNINST~1.EXE UninstallFirefox.exe
10/11/1999 11:05 AM 86,016 UNVISE~1.EXE unvise32qt.exe
17/04/2006 12:11 AM 33,701 updspapi.log
11/05/2005 10:54 AM 36 vb.ini
23/07/2005 02:18 PM 59 vbaddin.ini
04/08/2004 09:30 PM 18,944 vmmreg32.dll
11/05/2005 10:56 AM <DIR> Web
08/04/2006 01:46 PM 216 wiadebug.log
08/04/2006 01:46 PM 49 wiaservc.log
23/07/2005 02:18 PM 573 win.ini
25/04/2006 05:12 PM 1,086,537 WINDOW~1.LOG WindowsUpdate.log
04/08/2004 09:30 PM 256,192 winhelp.exe
04/08/2004 09:30 PM 283,648 winhlp32.exe
11/05/2005 12:29 PM <DIR> WinSxS
18/04/2006 11:36 PM 57,356 wmsetup.log
23/07/2005 09:13 PM 379 WMSETU~1.LOG wmsetup10.log
11/05/2005 12:38 PM 316,640 WMSysPr9.prx
04/08/2004 09:30 PM 9,522 Zapotec.bmp
04/08/2004 09:30 PM 707 _default.pif
151 File(s) 11,782,766 bytes
41 Dir(s) 18,708,516,864 bytes free
Volume in drive C has no label.
Volume Serial Number is 08FE-2081

Directory of C:\WINDOWS\system32


Directory of C:\WINDOWS


Cheers

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 25 April 2006 - 10:47 AM

Excellent work so far aph!

We just have a couple of entries in Hijackthis that will need a little bit of force to remove. Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT 4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3C746DC-AD65-CEEB-1E86-F45A644F11C0}]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please reboot run Panda's ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your details when asked.
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report along with a new Hijackthis log.
David

#7 aph

aph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 27 April 2006 - 06:43 AM

okay... theres more. i dont know why my gmail sig is showing in the hjt log...

oh well.

Activescan report:


Incident Status Location

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\48i658bi.default\cookies.txt[www.advnt01.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Cookies\user@ath.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Cookies\user@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Cookies\user@dist.belnk[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\user\Cookies\user@errorsafe[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\user\Cookies\user@rn11[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\user\Cookies\user@www.advnt01[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\user\Cookies\user@www.errorsafe[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\user\Cookies\user@xiti[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\user\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\T7HQDE58\!update-3703[1].0000

and the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:09:51 PM, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
O1 - Hosts: --
O1 - Hosts: Karma is a fusion of serendipity and either malicious or generous individuals.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll

(file missing)
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll

(file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN

Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN

Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel

PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program

Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security

2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ab?112078260899

9
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program

Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. -

C:\WINDOWS\system32\UAService7.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 27 April 2006 - 10:16 AM

Hey Aph.

Not much left to do at all, everything is looking clean.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Please post a new HijackThis log and in Notepad be sure to click on Format and place a check mark beside "word wrap" so the log will be easier to read. Also let me know how the computer is running.

David

#9 aph

aph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 28 April 2006 - 03:53 AM

Many thanks again, and apologies for making things hard to read. I have checked the word wrap option.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:39 PM, on 28/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
O1 - Hosts: --
O1 - Hosts: Karma is a fusion of serendipity and either malicious or generous individuals.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120782608999
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

As for how my PC is running, I'd have to say it is going a little quicker, and the hard drive isn't accessing anywhere near as much as it used to.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 28 April 2006 - 12:20 PM

Hey aph
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

Please download the following attachment to your desktop.
[attachment=807:attachment]
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: (no name) - {A2C746DB-AD65-CA99-1EF9-FD5A6D3911B7} - C:\WINDOWS\system32\hggsvkk.dll (file missing)
O2 - BHO: (no name) - {A3C746DC-AD65-CEEB-1E86-F45A644F11C0} - C:\WINDOWS\system32\hggsvkk.dll (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

Please reboot and post a new Hijackthis log.
David

#11 aph

aph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 28 April 2006 - 07:03 PM

Done and done

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:23 AM, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
O1 - Hosts: --
O1 - Hosts: Karma is a fusion of serendipity and either malicious or generous individuals.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tpg.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...ab?112078260899
9
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Cheers. this one is a stubborn prick, isnt it?

Edited by aph, 28 April 2006 - 07:10 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:46 PM

Posted 29 April 2006 - 04:59 AM

Ha! Not as stubbourn as we thought - both the entries are now gone.
The latest log is looking clean! The fact that your system got infected in the first place shows me that you are lacking slightly in protection.
Follow this list and your potential for being infected again will reduce dramatically.

Now that you are clean, let's purge your system restore points, to remove any infected ones. Please follow these simple steps in order
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer
  • Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then click OK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: hide
    Click here for more information on -> Computer Safety On line - Anti-Virus
    I would recommend Grisofts© AVG or AVAST©. As these are the more secure and better ones.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Click here for more information on -> Computer Safety On line - Software Firewalls
    I would recommend ZoneAlarm© as a firewall as it's easy to use. But for a more secure firewall, Sunbelts Kerio© is the one.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly
  • Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users