Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious Malware Infection! Please Help!


  • This topic is locked This topic is locked
15 replies to this topic

#1 John12

John12

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 21 August 2006 - 06:14 PM

i have problems where i get popups from "firstadsolutions" or whatever its called... then i always get the www.findthefirstwebsiteyouneed.com page...

HIJACJTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:12:52 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\msncomm.exe
C:\WINDOWS\sndman.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\dfndrff_12.exe
C:\kybrdff_12.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\msncomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Anthony\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {2104a6ff-d7fa-405e-8f27-0a7b95806de6} - C:\WINDOWS\system32\mqssso.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SoundMano] C:\WINDOWS\sndmano.exe
O4 - HKLM\..\Run: [ImMsn] C:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [SoundMan] C:\WINDOWS\sndman.exe -i
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKLM\..\Run: [txv4bc2e] RUNDLL32.EXE w05f39ee.dll,n 0034bc2b0000000a05f39ee
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [{D7CC80D4-376C-4586-B023-4F35C2CEB28E} Deskbar UNINSTALL] regsvr32 /s /u "C:\Program Files\Deskbar\deskbar.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [custom.exe] "C:\WINPENJR\WIN32\CUSTOM.EXE"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mqssso - C:\WINDOWS\SYSTEM32\mqssso.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

-------------------------------------------------------------------------------------------------------------------------------------------------------

thnx in advance!

Edited by John12, 21 August 2006 - 06:16 PM.


BC AdBot (Login to Remove)

 


#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 22 August 2006 - 04:59 AM

Hi and welcome! Posted Image

I'm Jet Ian Posted Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 22 August 2006 - 05:04 AM

Hello again. :thumbsup:

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. Please make sure that you follow this in the right order as I have listed.

=====================================

First, there are a few very important security program that you are lacking. These programs are essential to prevent you from getting reinfected:
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. Please download and install one antivirus program from the following list, download the latest signatures, and do a full system scan.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out. 2 free ones available for personal use:
Without these programs, you will be quickly reinfected, and we would just be wasting our time trying to clean your computer.

=====================================



Download ATF Cleaner
  • Save it to your Desktop.
  • Do not run it yet. We will use this later.
Update Ewido Anti-Malware
  • Open Ewido Anti-Spyware.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed close Ewido.
=====================================

Download Brute Force Uninstaller to your desktop.
  • Right click the file on your Desktop, and choose Extract All.
  • Click Next.
  • In the box to choose where to extract the files to:
  • Click Browse.
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is.
  • Click Make New Folder
  • Type in BFU
  • Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download alcanshorty.bfu (rightclick on that link and select save as)
  • Save it in the same folder you made earlier - C:\BFU (Important!)
=====================================

Uninstall Programs
  • Click Start » Run » type: appwiz.cpl » OK
  • Find and remove the following program(s) (if present):

    Deskbar

  • Close Add/Remove Programs window after uninstalling.
=====================================

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [SoundMano] C:\WINDOWS\sndmano.exe
O4 - HKLM\..\Run: [ImMsn] C:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [SoundMan] C:\WINDOWS\sndman.exe -i
O4 - HKLM\..\Run: [txv4bc2e] RUNDLL32.EXE w05f39ee.dll,n 0034bc2b0000000a05f39ee
O4 - HKLM\..\RunOnce: [{D7CC80D4-376C-4586-B023-4F35C2CEB28E} Deskbar UNINSTALL] regsvr32 /s /u "C:\Program Files\Deskbar\deskbar.dll"

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

Show Hidden Files and Folders

Click Start » My Computer » Tools » Folder Options. Select the View tab.
  • Check - Show hidden files and folders
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files
Click Yes to confirm, then OK to exit.

=====================================

Reboot into Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
=====================================

Locate and delete the following file(s), if present : C:\WINDOWS\sndmano.exe
C:\WINDOWS\msncomm.exe
C:\WINDOWS\sndman.exe
C:\WINDOWS\system32\conime.exe

=====================================

Locate and delete the following folder(s), if present : C:\Program Files\Deskbar
=====================================

We need to search for a file. Click Start » Search » For Files and Folders.
Expand Search Options:
  • Check - Advanced Options
  • Check - Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the "Search for files and folders" named box:

w05f39ee.dll

If any of these file/s are found please delete them.

=====================================

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

=====================================

Run Ewido Anti-Spyware
  • Please close all Windows, Programs or Browsers.
  • Open Ewido.
  • Click on Scanner
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When scan has finished, at bottom of the screen click Apply all Actions.
  • Click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====================================

Run Brute Force Uninstaller

Go to Start » My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Beside the white box field, click the folder icon: Posted Image : select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
=====================================

Restart your computer

=====================================

Download VundoFix.exe
  • Save and Extract it on your Desktop.
Run VundoFix
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\SYSTEM32\mqssso.dll
    • C:\WINDOWS\system32\osssqm.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
=====================================



In your next reply, please include these log(s):
  • HijackThis log (new)
  • Ewido
  • Vundofix' log
-- Jet :flowers:

Edited by Jag11, 22 August 2006 - 05:14 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#4 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 23 August 2006 - 04:07 PM

hi, thanks for the reply... i have gotten to the part where i have to run VundoFix.exe... but after i installed VundoFix i do not know what to do

there are 4 files, killvundo.bat, process.exe, ReadMe.txt, and vundo.reg

then i dont know where to go from there

cuz you told me to Double-click VundoFix.exe to run it.

i did that, then "Put a check next to Run VundoFix as a task."

so i cant find where i do that

thanks again

Edited by John12, 23 August 2006 - 04:07 PM.


#5 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 24 August 2006 - 04:33 AM

Oops.. sorry my bad. Follow these instead for VundoFix:

Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will make a log in C:\vundofix.txt, please include that in your next reply.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#6 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 24 August 2006 - 05:31 PM

HIJACKTHIS LOG (NEW)

Logfile of HijackThis v1.99.1
Scan saved at 6:28:44 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Anthony\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2104a6ff-d7fa-405e-8f27-0a7b95806de6} - C:\WINDOWS\system32\mqssso.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [custom.exe] "C:\WINPENJR\WIN32\CUSTOM.EXE"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mqssso - mqssso.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

EWIDO SCAN REPORT

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:52:10 PM 8/23/2006

+ Scan result:



C:\temp\180SAInstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00311905.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00311904.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
HKU\S-1-5-21-436374069-492894223-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-436374069-492894223-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\barhelp22.0.dll -> Adware.Iebar : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\iebar22.0.dll -> Adware.Iebar : Cleaned with backup (quarantined).
HKU\S-1-5-21-436374069-492894223-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system\UpdInstall.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Anthony\Local Settings\Temp\ued5amx7i_.exe -> Adware.SAHAgent : Cleaned with backup (quarantined).
C:\WINDOWS\rfvorqn1.exe -> Adware.SAHAgent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\5cfkbv8i.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Program Files\MyEmoticons\VVSNI_S3_MYEM_Inst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Anthony\Local Settings\Temp\wh.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\prelimhanse.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Documents and Settings\Anthony\Local Settings\Temp\toolbar.dll -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Anthony\Local Settings\Temp\ustart.exe -> Adware.WinAD : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\VacPro.canada_ver3 -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\VacPro.canada_ver3\Clsid -> Dialer.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\3436342D2D2D.exe -> Downloader.Adload.ej : Cleaned with backup (quarantined).
C:\Documents and Settings\Anthony\Local Settings\Temp\zxinst12.exe -> Downloader.Agent.tq : Cleaned with backup (quarantined).
C:\WINDOWS\ounist.exe -> Downloader.IstBar.er : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\nwnmff_11.exe -> Downloader.VB.aiy : Cleaned with backup (quarantined).
C:\nwnmff_11.exe_tobedeleted -> Downloader.VB.aiy : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Anita Ip\Cookies\anita ip@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\dll.exe -> Trojan.Agent.hs : Cleaned with backup (quarantined).


::Report end


VUNDOFIX REPORT

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.2

Java version is 1.5.0.4

Scan started at 3:30:51 PM 8/24/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

--------------------------------------------------------------------------------------------------------------------------

thnx again :thumbsup:

Edited by John12, 24 August 2006 - 05:32 PM.


#7 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 25 August 2006 - 03:55 AM

Ok let's continue. :thumbsup:

You may want to print out these instructions or save it as a text document, and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding. It is also important for you to don't miss a step and perform everything in the right order.

=====================================

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\mqssso.dll
    • C:\WINDOWS\system32\osssqm.*
  • Click Add Files and Click Close Window
  • Click Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • It will produce a log of it's actions at C:\vundofix.txt
=====================================

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2104a6ff-d7fa-405e-8f27-0a7b95806de6} - C:\WINDOWS\system32\mqssso.dll (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O20 - Winlogon Notify: mqssso - mqssso.dll (file missing)

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

I need you to submit some file(s).
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the File to upload & scan box on the top of the page:

    C:\WINPENJR\WIN32\CUSTOM.EXE

  • Click on the Submit button
  • Please post the results in your next reply.
=====================================

Post the Jotii report and a new HJT log. :flowers:
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#8 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 25 August 2006 - 05:11 PM

hi Jet, thnx again for the help

but on the Jotii scan it said "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

i dont know what that means... lol

#9 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 25 August 2006 - 08:56 PM

Please post a new hjt log. :thumbsup:
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#10 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 25 August 2006 - 11:12 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:11:47 AM, on 8/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Anthony\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [custom.exe] "C:\WINPENJR\WIN32\CUSTOM.EXE"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

#11 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 25 August 2006 - 11:39 PM

Ok, let's continue. :thumbsup:

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run an online scan at Panda's ActiveScan
  • Please go here using Internet Explorer.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open, click the big Check Now button.
    • Enter your Country.
    • Enter your State/Province.
    • Enter your e-mail address and click send.
    • Select either Home User or Company.
    • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • When the download is complete, click on My Computer to start the scan.
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the Panda report along with a new Hijackthis log.
-- Jet :flowers:
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#12 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 26 August 2006 - 02:56 PM

ACTIVESCAN REPORT

Incident Status Location

Spyware:spyware/marketscore Not disinfected c:\windows\system32\osmim.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA6P_0001_N91M1807NetInstaller.exe
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/ipinsight Not disinfected c:\windows\inf\conscorr.inf
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Ssk.log
Spyware:spyware/virtumonde Not disinfected c:\windows\dpusys.ini
Adware:adware/cydoor Not disinfected c:\windows\cache277
Adware:adware/delfinmedia Not disinfected c:\documents and settings\all users\application data\vidctrl
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/blazefind Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Spyware:spyware/bridge Not disinfected Windows Registry
Adware:adware/iebar Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/xplugin Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Anita Ip\Cookies\anita ip@dist.belnk[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Anita Ip\Cookies\anita ip@rightmedia[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Anita Ip\Cookies\anita ip@spywarestormer[1].txt
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Anita Ip\Local Settings\Temporary Internet Files\Content.IE5\YTOHKTGX\yahoo.nofast[1].htm
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.go.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.com.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Anthony\Application Data\Mozilla\Firefox\Profiles\i0hronuj.default\cookies.txt[.perf.overture.com/]
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Anthony\Desktop\hijackthis\backups\backup-20060823-000646-741.dll
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\Anthony\Desktop\hijackthis\backups\backup-20060825-180602-148.inf

--------------------------------------------------------------------------------------------

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:55:35 PM, on 8/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anthony\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [custom.exe] "C:\WINPENJR\WIN32\CUSTOM.EXE"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

#13 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 27 August 2006 - 01:51 AM

Ok, next. :thumbsup:

Click Start » Run
Paste this on the box then press Enter :

regsvr32 /u occache.dll

=====================================

Download Killbox
  • Save it to your Desktop.
  • In the event you already have Killbox, this is a new version that I need you to download.
  • Double-click Killbox.exe to run it.
  • Select Delete on Reboot.
  • Click on the All Files button.
  • Copy the words below (blue) by highlighting all of them and pressing Ctrl + C on your keyboard.

    c:\windows\system32\osmim.dll
    c:\windows\downloaded program files\UWA6P_0001_N91M1807NetInstaller.exe
    c:\windows\inf\alchem.inf
    c:\windows\inf\biini.inf
    c:\windows\inf\conscorr.inf
    C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Ssk.log
    c:\windows\dpusys.ini

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes when prompted to restart your computer. Click OK at any PendingFileRenameOperations prompt.
NOTES :
  • If your computer does not restart automatically, please restart it manually.
  • If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
=====================================

Click Start » Run
Paste this on the box then press Enter :

regsvr32 occache.dll

=====================================

Locate and delete the following folder(s), if present : c:\windows\cache277
c:\documents and settings\all users\application data\vidctrl

=====================================

Other than that, your log looks fine now! :flowers: How are things running?

-- Jet
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#14 John12

John12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 28 August 2006 - 04:01 PM

ok thank you very much for your help Jet, really appreciate it... my computer is running find now

i have a question... which of those programs that you told be to use is not too necessary to keep on my computer? like Killbox or ATF Cleaner, etc... could i delete those if my computer doesnt have any more problems?

and another question... which anti-spyware is the best one? like ewido, spybot, hijackthis, or ad-aware, cuz i dont think i really need that many installed... lol

thanks again :thumbsup:

#15 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:02:55 AM

Posted 29 August 2006 - 05:11 AM

ok thank you very much for your help Jet, really appreciate it... my computer is running find now

Glad to hear that John. :thumbsup:

i have a question... which of those programs that you told be to use is not too necessary to keep on my computer? like Killbox or ATF Cleaner, etc... could i delete those if my computer doesnt have any more problems?

You can delete all of that if you want to.

and another question... which anti-spyware is the best one? like ewido, spybot, hijackthis, or ad-aware, cuz i dont think i really need that many installed... lol

Actually, there's no all-in-one Antispyware.. Me I have ewido, spybot, and ad-aware but I think I haven't used any of them in the last 5+ months. :flowers:
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users