Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uptodateprotection.com


  • This topic is locked This topic is locked
13 replies to this topic

#1 vesa

vesa

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 21 September 2006 - 07:01 AM

i have had the same problem as tmb7774 i tryed to see if i could do the same as you told them but there were differneces so i though i shoukd show you my log file and see if you could help

Logfile of HijackThis v1.99.1
Scan saved at 7:57:52 PM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
H:\itunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\DOCUME~1\Marto\LOCALS~1\Temp\~nsu.tmp\Au_.exe
C:\WINDOWS\system32\cool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Marto\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 72.36.156.164 view.atdmt.com
O1 - Hosts: 72.36.156.164 rad.msn.com
O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com
O1 - Hosts: 72.36.156.164 us.a1.yimg.com
O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net
O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net
O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com
O1 - Hosts: 72.36.156.164 ad.doubleclick.net
O1 - Hosts: 72.36.156.164 z1.adserver.com
O1 - Hosts: 72.36.156.164 ar.atwola.com
O1 - Hosts: 72.36.156.164 ar1.atwola.com
O1 - Hosts: 72.36.156.164 disney.go.com
O1 - Hosts: 72.36.156.164 rcm.amazon.com
O1 - Hosts: 72.36.156.164 familyfun.go.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74025C7A-EEAB-44B1-AFEE-424E42954F46}: NameServer = 203.30.19.12 203.30.19.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe







thankyou for your time.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 21 September 2006 - 10:27 AM

Hello vesa, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 22 September 2006 - 01:25 AM

Hello vesa, sorry for the delay in getting back to you.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

Looking over your log, it seems you don't have any evidence of a Firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world.Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from the following link:

-ZoneAlarm - I use this firewall :thumbsup:


If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. Simply put, Windows XP contains a mediocre firewall. This firewall is no replacement for a dedicated software solution.

======

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 8' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
======

I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Now, can you please right-click on the hijackthis.exe file and select rename. Call it fluffybunny.exe and press enter.

======

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

======
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

======

Please post back with the following (it may take more than one reply):
- New HijackThis log- making sure that HJT is not running from a temporary directory, and remember that it's called fluffybunny.exe.
- SmitfraudFix log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 vesa

vesa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 23 September 2006 - 02:41 AM

this is the hjt report

Logfile of HijackThis v1.99.1
Scan saved at 3:35:30 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\fluffybunny.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 72.36.156.164 view.atdmt.com
O1 - Hosts: 72.36.156.164 rad.msn.com
O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com
O1 - Hosts: 72.36.156.164 us.a1.yimg.com
O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net
O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net
O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com
O1 - Hosts: 72.36.156.164 ad.doubleclick.net
O1 - Hosts: 72.36.156.164 z1.adserver.com
O1 - Hosts: 72.36.156.164 ar.atwola.com
O1 - Hosts: 72.36.156.164 ar1.atwola.com
O1 - Hosts: 72.36.156.164 disney.go.com
O1 - Hosts: 72.36.156.164 rcm.amazon.com
O1 - Hosts: 72.36.156.164 familyfun.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {401A0175-9D14-4D60-BDB8-D3E2C879D7BF} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6CD9FCD7-EF34-43C5-A0C5-A6FDAE2909CB} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





and this is the SmitfraudFix log



SmitFraudFix v2.98

Scan done at 15:34:47.14, Sat 09/23/2006
Run from C:\Documents and Settings\Marto\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Marto\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\Marto\FAVORI~1

C:\DOCUME~1\Marto\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


pe386-msguard-lzx32


Scanning wininet.dll infection


End




thankyou for your time :]

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 23 September 2006 - 10:18 AM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

======

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on, in Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.
  • Please post the contents of C:\vundofix.txt in your next reply.
======

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

======

Post back with the following (you may need more than one reply):
- New HijackThis log
- Rapport.txt report
- Vundofix log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 vesa

vesa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 25 September 2006 - 11:03 PM

:] my home page has changed back to google, thankyou very much. i think the problem is fixed but here are the logs you asked for. do you know any other free programs i can download that will help prevent future virus and spyware and mabye programs that could remove them?

once again thankyou very much :]]]]]



Logfile of HijackThis v1.99.1
Scan saved at 11:45:32 AM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\fluffybunny.exe.exe
C:\WINDOWS\system32\wuauclt.exe

O1 - Hosts: 72.36.156.164 view.atdmt.com
O1 - Hosts: 72.36.156.164 rad.msn.com
O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com
O1 - Hosts: 72.36.156.164 us.a1.yimg.com
O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net
O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net
O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com
O1 - Hosts: 72.36.156.164 ad.doubleclick.net
O1 - Hosts: 72.36.156.164 z1.adserver.com
O1 - Hosts: 72.36.156.164 ar.atwola.com
O1 - Hosts: 72.36.156.164 ar1.atwola.com
O1 - Hosts: 72.36.156.164 disney.go.com
O1 - Hosts: 72.36.156.164 rcm.amazon.com
O1 - Hosts: 72.36.156.164 familyfun.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {401A0175-9D14-4D60-BDB8-D3E2C879D7BF} - (no file)
O2 - BHO: (no name) - {46885C22-637A-4194-BB55-A6AFDB23F038} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe






SmitFraudFix v2.98

Scan done at 11:41:27.56, Tue 09/26/2006
Run from C:\Documents and Settings\Marto\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\Marto\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End










VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.8

Scan started at 10:49:34 AM 9/26/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\qomllml.dll
C:\WINDOWS\system32\wincqt32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomllml.dll
C:\WINDOWS\system32\qomllml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wincqt32.dll
C:\WINDOWS\system32\wincqt32.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.8

Scan started at 11:26:18 AM 9/26/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhfc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.dll Has been deleted!

Performing Repairs to the registry.
Done!

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 September 2006 - 03:09 PM

Hey vesa, sorry for the delay in getting back to you.

======

i think the problem is fixed but here are the logs you asked for. do you know any other free programs i can download that will help prevent future virus and spyware and mabye programs that could remove them?

Your system is not free from malware yet; there are still some steps we need to do before I can recommend some programs for you to download.

======

Although you have renamed Hijackthis, you did not do this correctly, there are two .exes at the end. To be honest, I am suprised that it has run like this, please can you get rid of one of these so it is just fluffybunny.exe.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O1 - Hosts: 72.36.156.164 view.atdmt.com
O1 - Hosts: 72.36.156.164 rad.msn.com
O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com
O1 - Hosts: 72.36.156.164 us.a1.yimg.com
O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net
O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net
O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com
O1 - Hosts: 72.36.156.164 ad.doubleclick.net
O1 - Hosts: 72.36.156.164 z1.adserver.com
O1 - Hosts: 72.36.156.164 ar.atwola.com
O1 - Hosts: 72.36.156.164 ar1.atwola.com
O1 - Hosts: 72.36.156.164 disney.go.com
O1 - Hosts: 72.36.156.164 rcm.amazon.com
O1 - Hosts: 72.36.156.164 familyfun.go.com
O2 - BHO: (no name) - {401A0175-9D14-4D60-BDB8-D3E2C879D7BF} - (no file)
O2 - BHO: (no name) - {46885C22-637A-4194-BB55-A6AFDB23F038} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O20 - AppInit_DLLs:


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Reboot.

======

Go to Start | Control Panel | Add/Remove Programs and look for any other references to Java, apart from the ones I had you update before. I see an entry in your log that suggests you have version 5.04 installed. Please uninstall this and re-install a newer version using the lnik I provided before.

======

Please post back with a new Hijackthis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 vesa

vesa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 27 September 2006 - 06:32 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:25:57 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HijackThis\fluffybunny.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe


thanks

daniel

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 September 2006 - 08:58 AM

I don't think you posted the whole HijackThis log, it should be much longer than that. Yours cuts off after the 04s, but it should go right up to 023, like it did in your other posts. :thumbsup:
Post back with the full log please,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 vesa

vesa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 27 September 2006 - 09:08 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:05:25 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\OFFICE11\ois.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\HijackThis\fluffybunny.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74025C7A-EEAB-44B1-AFEE-424E42954F46}: NameServer = 203.30.19.12 203.30.19.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




hahah sorry

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 September 2006 - 11:45 AM

Hey vesa

======

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
  • Click on Update on the toolbar.
  • Under Manual update, click on the Start Update button.
  • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

======

Please download Hoster from here
Unzip Hoster.zip
Open Hoster.exe
Then click on "Restore Original Hosts"
Close program when complete.

======

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
======

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

======

Post back with the Ewido log, and also can you tell me- how are things running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 vesa

vesa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 28 September 2006 - 07:25 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:15:17 PM 9/28/2006

+ Scan result:



HKU\S-1-5-21-583907252-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-583907252-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9730\anti4[1].exe -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\qomllml.dll.bad -> Adware.Virtumionde : Cleaned with backup (quarantined).
H:\music\kazaa\bounce nokia java game 2.zip/1.wma -> Downloader.Wimad.d : Cleaned with backup (quarantined).
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\Grisoft\AVG Free\avgcc.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\Grisoft\AVG Free\avgemc.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\Lexmark 3100 Series\LXBRKsk.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NeroCheck.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
H:\itunes\iTunesHelper.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\CDUVCLAF\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\CDUVCLAF\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\CDUVCLAF\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\CDUVCLAF\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc1535\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc1535\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc5844.htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc5846.htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc5847.htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9706\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9706\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9707\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9708\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9708\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9708\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9722\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9723\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[6].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[7].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9726\popup[8].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9727\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9727\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9727\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9728\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9730\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9730\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9730\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9731\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9731\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9732\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9733\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9740\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9740\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9740\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9741\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9741\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9742\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9745\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9745\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9747\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9747\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9747\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9748\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9748\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9748\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9748\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9749\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9752\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9752\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9754\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9754\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9755\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9756\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9758\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Cookies\marto@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\4PI7G1IF\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\6H8RE9WL\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\ST8XUF8H\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\UNQFED6V\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9725\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win100.tmp.exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\ST8XUF8H\srvmzo[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc7348.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9730\srvjfs[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9731\srvgwt[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9741\srvciy[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9741\srvydq[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\6H8RE9WL\srvgjt[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\9AB1DI86\srvzue[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\BRT3N10O\srvcyd[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\GTYVO92J\srvwpv[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Marto\Local Settings\Temporary Internet Files\Content.IE5\M2FXP7T3\srvjag[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-746137067-839522115-1003\Dc9727\srvggy[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\VundoFix Backups\wincqt32.dll.bad -> Trojan.Small : Cleaned with backup (quarantined).


::Report end




every thing seems to be fine my computer is running like it used to beofore i got the uptodateprotection stuff, im not getting any more pop ups eaither :]

thanks

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 28 September 2006 - 09:42 AM

Hey vesa!

======

You are using Kazaa. This is not technically malware by itself, but it installs its own adware software when installed in order to run properly. KaZaA is a hotbed for virus and malware activity. There are several out there that have been deemed "safe" and adware‑free (although inadvertently downloading adware is still a huge possibility with any file sharing program.). I strongly recommend that you remove it, via Add/Remove Programs. Read this article for Alternatives that will provide some of the same function without the garbage.

======

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

======

Your Recycle Bin should have also been emptied by running this program, if not, please empty it manually.

======

Great job in removing all that malware! :thumbsup:

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers..

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Hopefully this should take care of your problems, good luck!
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 October 2006 - 03:47 PM

Since this issue appears resolved, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users