Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tayy

Tayy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 09 September 2006 - 09:12 AM

Hi

I have a problem since I downloaded a "Advanced System Optimizer 2006 Crack and Serial.exe" file from e-mule. It seems to be some kind of a virus. I keep getting messages (like 20 per minute) from Avast that are looking like that:

SUSPICIOUS MESSAGE!
There are too many identical e-mails in appointed time
Sender: "Bjoern Bass" <lochtanika@island-finance.com>
Recipient: hampton@runesbike.com
Subject: Re: PHAIcfRMACY

I scanned my sistem with avast, ad-aware and spybot but nothing helped. Then I make a scan with HijackThis and this is my log.

Logfile of HijackThis v1.99.1
Scan saved at 15:42:23, on 9.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\DOCUME~1\TD\LOCALS~1\Temp\ins1.tmp\LDMClient.exe -ReportOnly
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114789454140
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/sl/big/1.1....g/GoogleNav.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97BF5243-D3C2-4CF5-A49F-09EFE34859E5}: NameServer = 193.189.160.11,193.189.160.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe


Please help...

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 09 September 2006 - 01:26 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\nvsvcd.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Open notepad and copy and paste next in it:

sc stop "Windows Log "
sc delete "Windows Log "

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\GAOV

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
Also post a new Hijackthis log.

David

#3 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 10 September 2006 - 05:40 AM

Hello, David

Thank you very much for taking your time and help me. I already posted my Hijackthis log in http://www.hijackthis.de/ and analyzed it. I made some corrections then and it seems that the problem is now gone. I also did everything you suggested and it's ok now. I just didn't delete GAOV folder because it's a program for watching tv programs (internet P2P tv) and i think it's from safe source. Below are the two lists that you suggested to copy/paste them in here.

This is my Uninstall Manager list:

##CAMERADRIVERNAME##
a˛ free
AC3Filter (remove only)
Ad-aware 6 Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0
afreeca Į¦°Ĺ
ATI - Software Uninstall Utility
ATI Control Panel
ATI HydraVision
avast! Antivirus
BetPredictor
BSPlayer
Corel Graphics Suite 11
DC++ (remove only)
Direct Show Ogg Vorbis Filter (remove only)
Disc2Phone
Easy Video Splitter 1.28
eMule
Feidian IPTV
ffdshow (remove only)
FLV Player 1.3.3
Google Toolbar for Internet Explorer
Google Video Player
Gridmedia IPTV Engine
HijackThis 1.99.1
Interactive 3D Characters
iTunes
J2SE Runtime Environment 5.0
ł¬Ľ¶˛Ą°Ō 1.0
ł¬Ľ¶˛Ą°Ō 1.1
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Macromedia Flash Player 8
Macromedia Shockwave Player
Maxthon Browser (remove only)
MediaKey
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Encarta Reference Suite 2001
Microsoft Office Professional Edition 2003
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla (1.6)
Mozilla Firefox (1.5.0.6)
Mysee WebTV
Nero 6 Ultra Edition
OpenOffice.org 2.0
Pixelfusion WMP Plugin 1.50
Port Detective
PowerDVD
PPLive 1.2.35
ppStream 1.0
QQ Live Player
QQÖ±˛Ą
QuickTime
RealPlayer
RevConnect
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shareaza version 2.2.1.0
Shockwave
Sony Ericsson PC Suite
SopCast 0.9.9
SoundMAX
Spybot - Search & Destroy 1.3
Subtitle Workshop 2.51
SUPER © Version 2006.19 (FIX)
SweetIM For Internet Explorer 1.0a
Sygate Personal Firewall
Telefonski imenik Slovenije 2004
Telefonski imenik Slovenije 2006
Themexp.org File
TRUST MI-2500X OPTICAL MOUSE
TVAnts 1.0
TVUPlayer 1.5.12
Tweakui Powertoy for Windows XP
Undisker
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.5
WildTangent Multiplayer Library
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.1 beta3
WinRAR archiver
XQDC X-Setup Pro 7.0.300.Final1

This is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:30:55, on 10.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\DOCUME~1\TD\LOCALS~1\Temp\ins1.tmp\LDMClient.exe -ReportOnly
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114789454140
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/sl/big/1.1....g/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97BF5243-D3C2-4CF5-A49F-09EFE34859E5}: NameServer = 193.189.160.11,193.189.160.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

THANKS AGAIN
Tayy

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 10 September 2006 - 09:25 AM

Your Hijackthis log is now looking clean, well done. In future I don't recommend you use hijackthis.de; it is not a very reputable resource and often the results are very vague. Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

#5 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 10 September 2006 - 09:35 AM

Hello

I tried Panda Active Scan, but when downloading some ActiveX stuff that is neccesary for scan, Avast found a virus in file set56.tmp. Downloading was then stopped because I told Avast to delete this file.
I don't know if I should proceed or did I do the right thing?

Thanks in advance

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 10 September 2006 - 09:37 AM

It should be fine to start panda again from scratch.

#7 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 10 September 2006 - 10:12 AM

It's not working. Keeps saying that an error occured during downloading. Maybe I shold try another online scanner.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 10 September 2006 - 10:20 AM

It seems that nearly a third of users I send for a Panda scan experience some kind of error.
I wouldn't worry to much at this point, let's try another online scanner instead.

By the way, the reason I wanted you to delete the GAOV folder is because it contains the program Mysee Alert. MySee Alert is an advertising program of Chinese origin that is installed by PigSearch, another Chinese adware program. According to CounterBelt:

Adware, also known as advertising software, displays third-party advertising on the computer. The ads can take several forms, including pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. Some adware advertising might consists of text ads shown within the application itself or within side bars, search bars, and search results. Adware is often contextually or behaviorally based and tracks browsing habits in order to display ads that are meant to be relevant to the user.

I know you said that you used it, but the program is infected and I recommend you remove it.
I cannot force you but it may be causing a slow-down or your system or popping up adverts.
If you do decide to remove it you can uninstall Mysee WebTV from add remove in the control panel.
Then go and delete the following folder:
C:\Program Files\GAOV

You can read more here:
http://research.sunbelt-software.com/threa...;threatid=45751

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
If you still recieve an active X error, let's try and tweak some settings.
Start Internet Explorer.
From the Internet Explorer Tools menu, choose Internet Options.
Click the Security tab, and then click the Internet icon.
Click the Custom Level button and verify the settings as follows:

- Under Download signed ActiveX controls, select Enable.
- Under Download unsigned ActiveX controls, select Prompt.
- Under Initialize and script ActiveX controls not marked as safe, select Prompt.
- Under Run ActiveX controls and plug-ins, select Enable.
- Under Script ActiveX controls marked safe for scripting, select Enable.
- Select Medium (or a lower setting) from the Reset to drop-down list, click Reset, and then click Yes.

Let me know how it goes, and post the appropriate log.
David

#9 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 10 September 2006 - 12:18 PM

Hello

About GAOV and MySee Alert:
I already uninstalled MySee Alert before. Now I uninstalled MySee WebTv also and deleted GAOV folder in Program Files since I didn't use that program much and I agree that it's better and more secure not to have it.

I did Kaspersky scan and below is it's log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 10, 2006 7:16:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/09/2006
Kaspersky Anti-Virus database records: 222198
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 77859
Number of viruses found: 17
Number of infected objects: 74 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:30:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TD\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\TD\Application Data\Microsoft\Predloge\Normal.dot Object is locked skipped
C:\Documents and Settings\TD\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\cert8.db Object is locked skipped
C:\Documents and Settings\TD\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\TD\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\history.dat Object is locked skipped
C:\Documents and Settings\TD\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\key3.db Object is locked skipped
C:\Documents and Settings\TD\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\parent.lock Object is locked skipped
C:\Documents and Settings\TD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Application Data\Mozilla\Firefox\Profiles\zrfi02oc.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\TD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TD\Local Settings\History\History.IE5\MSHist012006091020060911\index.dat Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Temp\12exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\13exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\15exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\1exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\2exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\34exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\36exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\38exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\43exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\44exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\44exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\48exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\51exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\52exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\55exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\61exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\77exmodul32c.1.exe Infected: Trojan-Proxy.Win32.Horst.if skipped
C:\Documents and Settings\TD\Local Settings\Temp\84exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\86exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\87exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\94exhdd.8.exe Infected: Trojan-Downloader.Win32.Horst.e skipped
C:\Documents and Settings\TD\Local Settings\Temp\97exssd32.5.exe Infected: Trojan-Downloader.Win32.Zlob.ajl skipped
C:\Documents and Settings\TD\Local Settings\Temp\remove.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\TD\Local Settings\Temp\remove.exe NSIS: infected - 1 skipped
C:\Documents and Settings\TD\Local Settings\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\TD\Local Settings\Temp\~DF4179.tmp Object is locked skipped
C:\Documents and Settings\TD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TD\ntuser.dat Object is locked skipped
C:\Documents and Settings\TD\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TD\UserData\index.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\Program Files\TVKoo\tvkoo100306.exe Infected: Trojan-Dropper.Win32.Agent.ams skipped
C:\RECYCLER\NPROTECT\00007735.DLL Infected: not-a-virus:AdWare.Win32.Altnet.f skipped
C:\RECYCLER\NPROTECT\00007781.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007783.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007785.DLL Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007786.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\RECYCLER\NPROTECT\00007787.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007788.DLL Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\RECYCLER\NPROTECT\00007789.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007790.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007791.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\RECYCLER\NPROTECT\00007792.DLL Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00007793.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00008047.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008056.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008058.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008060.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008062.DLL Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008064.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008066.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008068.EXE Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\RECYCLER\NPROTECT\00008958.DLL Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\RECYCLER\NPROTECT\00008959.DLL Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\RECYCLER\NPROTECT\00008960.DLL Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00008961.DLL Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\RECYCLER\NPROTECT\00008964.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\RECYCLER\NPROTECT\00008966.exe Infected: not-a-virus:AdWare.Win32.Gator.4203 skipped
C:\RECYCLER\NPROTECT\00008968.EXE Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP748\A0146127.exe/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP748\A0146127.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP748\A0146128.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP748\A0146164.exe/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP748\A0146164.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP756\A0147255.exe Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP807\A0156104.exe Infected: Trojan-Proxy.Win32.Horst.hr skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP807\A0156106.exe Infected: Trojan-Proxy.Win32.Horst.hr skipped
C:\System Volume Information\_restore{8ABA63F3-4747-49BA-A735-8B0A4493DA09}\RP817\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe Infected: not-a-virus:AdWare.Win32.Sahat.c skipped
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe Infected: not-a-virus:AdWare.Win32.Sahat.c skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Altnet\adm.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\adm25.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\adm4.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\admdata.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\admdloader.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\dmfiles.cab/AltnetUninstall.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Altnet\dmfiles.cab CAB: infected - 1 skipped
C:\WINDOWS\Temp\Altnet\Setup.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\WINDOWS\Temp\Perflib_Perfdata_240.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


THANKS AGAIN...

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 10 September 2006 - 02:14 PM

Hey Tayy.

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\TVKoo
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
C:\WINDOWS\Temp\Altnet

Go to start > run and type regsvr32 occache.dll

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Now, we want to create a new, clean restore point.
Please first reboot your computer.
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create and you're done.

Reboot and post a final Hijackthis log.
Also let me know how the PC is running.

#11 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 12 September 2006 - 10:58 AM

Hello David

I've been very busy for last couple of days. I hope I'm still on your list.

I think you're one of the kindest people I met on the internet. Sorry, but I can't donate any money now since I'm just a student and I don't have my own money and credit card yet. But I'll recommend you and this site to all my friends and I hope you'll benefit from helping me in the future.

Back to the problem now. Maybe it seems to me but I really think that my computer is running faster than before. All aplicattions are opening quickly and everything from a mouse pointer and drop-down menus is faster and smoother. I would really like to know what caused this problems beside that file I downloaded from e-mule.

I have one more question for you. What programs should I have to prevent a security and stability of my system? Now I have Avast, Sygate Personal Firewall, Ad-Aware and Spybot. Maybe I should run Ad-Aware and Spybot more frequently? Or should I have few more programs?

Thanks again.



My HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:38:52, on 12.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\DOCUME~1\TD\LOCALS~1\Temp\ins1.tmp\LDMClient.exe -ReportOnly
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114789454140
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/sl/big/1.1....g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97BF5243-D3C2-4CF5-A49F-09EFE34859E5}: NameServer = 193.189.160.11,193.189.160.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 12 September 2006 - 11:01 AM

Hey there,

In relation to which programs you need to run, I recommend you run your scanners once every week. That should be sufficient. The amount of protection depends on what you want to download, and below is a list of essential programs that I would recommend you use.

Where your infection came from could be a dodgy site that dropped a few nasites onto your PC.
Beware that quite a lot of innocent looking websites are actually infected, you perhaps need to tune your surfing.

First fix this entry in the same way you have done before:
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

Then, Click on start, then control panel, and then double-click on add/remove programs.
Search in the list for all older installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: Posted Image
Highlight each and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#13 Tayy

Tayy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 16 September 2006 - 09:07 AM

Hello David

I've been busy again for a few days.

My computer is OK now. Thanks a lot for your help. :thumbsup:

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:52 AM

Posted 16 September 2006 - 11:51 AM

You're welcome!

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users